Ubuntu
haproxy package

Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel

Git
lp:~lucaskanashiro/ubuntu/+source/haproxy
focal-mre
Merge into ubuntu/focal-devel

Proposed by Lucas Kanashiro on 2022-08-29

Status:	Merged
Approved by:	git-ubuntu bot on 2022-09-01
Approved revision:	not available
Merge reported by:	Lucas Kanashiro
Merged at revision:	e6f5d977ade8c6ac8ba443f1d0a703818f69915f
Proposed branch:	~lucaskanashiro/ubuntu/+source/haproxy:focal-mre
Merge into:	ubuntu/+source/haproxy:ubuntu/focal-devel
Diff against target:	3076 lines (+954/-440) 68 files modified .github/matrix.py (+6/-3) .github/workflows/cross-zoo.yml (+110/-0) .github/workflows/vtest.yml (+5/-2) .github/workflows/windows.yml (+2/-1) CHANGELOG (+100/-0) Makefile (+5/-1) SUBVERS (+1/-1) VERDATE (+2/-2) VERSION (+1/-1) contrib/prometheus-exporter/service-prometheus.c (+1/-0) contrib/wurfl/wurfl/wurfl.h (+10/-5) debian/changelog (+18/-0) debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch (+0/-2) debian/patches/haproxy.service-add-documentation.patch (+4/-4) debian/patches/series (+0/-2) dev/null (+0/-175) doc/configuration.txt (+99/-41) doc/management.txt (+4/-0) doc/proxy-protocol.txt (+1/-1) include/common/buf.h (+1/-1) include/common/compiler.h (+3/-1) include/common/memory.h (+2/-2) include/common/standard.h (+3/-2) include/proto/server.h (+1/-0) include/proto/ssl_sock.h (+25/-0) include/types/global.h (+1/-0) include/types/listener.h (+11/-2) reg-tests/http-messaging/http_abortonclose.vtc (+27/-5) reg-tests/http-messaging/http_request_buffer.vtc (+29/-4) scripts/announce-release (+12/-11) scripts/make-releases-json (+103/-0) scripts/publish-release (+6/-0) src/backend.c (+0/-5) src/cache.c (+7/-7) src/cfgparse-listen.c (+2/-1) src/cfgparse.c (+40/-12) src/dns.c (+18/-6) src/ev_epoll.c (+2/-2) src/ev_evports.c (+2/-4) src/ev_kqueue.c (+2/-2) src/ev_poll.c (+2/-1) src/flt_spoe.c (+22/-9) src/h1.c (+4/-0) src/haproxy.c (+10/-2) src/hlua.c (+3/-1) src/hlua_fcn.c (+3/-0) src/hpack-dec.c (+9/-0) src/http_fetch.c (+9/-6) src/http_msg.c (+7/-1) src/listener.c (+6/-0) src/log.c (+8/-3) src/memory.c (+6/-6) src/mux_h1.c (+1/-1) src/mux_h2.c (+9/-2) src/mworker.c (+4/-2) src/peers.c (+40/-23) src/proto_http.c (+8/-2) src/proto_htx.c (+1/-0) src/proto_sockpair.c (+1/-1) src/proxy.c (+24/-10) src/sample.c (+2/-1) src/server.c (+4/-5) src/signal.c (+3/-0) src/ssl_sock.c (+50/-27) src/standard.c (+4/-3) src/stick_table.c (+29/-17) src/stream.c (+18/-8) src/stream_interface.c (+1/-1)
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
git-ubuntu bot	2022-08-29	Approve on 2022-09-01
Sergio Durigan Junior (community)	2022-08-29	Approve on 2022-09-01
Canonical Server	2022-08-29	Pending
Canonical Server Reporter	2022-08-29	Pending
Review via email: mp+429079@code.launchpad.net

This proposal supersedes a proposal from 2022-08-29.

Description of the change

Update with upstream version 2.0.29. MRE bug: LP #1987914

A couple of patches needed a refresh because there is a change in the systemd service unit file where network.target was replaced by network-online.target. The maintainers explained why they did that here (a bug fix basically):

https://github.com/haproxy/haproxy/commit/f49a6049b88b7a9f0f0a18b076f34ab83820445a

Moreover, most of the patches were applied in this version, therefore removed from the package.

PPA with the proposed package:

https://launchpad.net/~lucaskanashiro/+archive/ubuntu/haproxy-mre

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-08-31:

Thanks for the MP, Lucas.

I'd like to see an updated the d/changelog entry here to list the major bug fixes, just like you did for Jammy. I also took the liberty to trigger autopkgtest runs for every supported architecture against your PPA.

The first thing I did was to try to reproduce the upstream tarball import commit. I use a local, temporary gbp repository where I perform the import, and then I compare the commit generated by gbp against the commit in the MRE branch I'm reviewing.

For this specific MP, the two commits showed some differences. They are only related to files that seem to be auto-generated by github, and they're not really important for the build process per se, but I'm wondering why they're showing up. I grabbed the upstream tarball from this page:

https://www.haproxy.org/?_gl=1*xzll7y*_ga*MTQ0OTA0NDUxLjE2NTQ1OTYzNTE.*_ga_VKZPMRNGK5*MTY1NjMzMzA5Ni41Ny4xLjE2NTYzMzQ4MjcuMA..*_ga_MGHPDQ7WFP*MTY1NjMzMzA5Ni41Ni4xLjE2NTYzMzQ4MjcuMA..#down

Did you grab it from somewhere else?

The dropped patches are OK. The updated patches are also OK.

... and the autopkgtest run has finished, and everything looks OK.

review: Needs Information

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2022-09-01:

Thanks for the review Sergio. I did update the changelog with major and critical bug fixes as I did in the Jammy MP.

Regarding the upstream tarball, I did get it using uscan and used uupdate to update the source package, after that I committed all the changes. Not sure why it diverge it TBH.

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2022-09-01:

Thanks, Lucas.

Maybe there's something that uupdate does to get rid of these files... Anyway, as I said above, it's not really important and shouldn't block this upload.

Therefore, LGTM, +1.

review: Approve

Revision history for this message

Lucas Kanashiro (lucaskanashiro) wrote on 2022-09-01:

Thanks Sergio! Package uploaded:

Uploading haproxy_2.0.29-0ubuntu1.dsc
Uploading haproxy_2.0.29.orig.tar.gz
Uploading haproxy_2.0.29-0ubuntu1.debian.tar.xz
Uploading haproxy_2.0.29-0ubuntu1_source.buildinfo
Uploading haproxy_2.0.29-0ubuntu1_source.changes

Revision history for this message

git-ubuntu bot (git-ubuntu-bot) wrote on 2022-09-01:

Approvers: lucaskanashiro, sergiodj
Uploaders: lucaskanashiro, sergiodj
MP auto-approved

review: Approve

~lucaskanashiro/ubuntu/+source/haproxy:focal-mre updated on 2023-03-22

cbc0ff8... by Lucas Kanashiro on 2023-03-22: Import upstream version 2.0.31 (LP: #2012557)
2f28b07... by Lucas Kanashiro on 2023-03-22: Remove patches applied by upstream
e6f5d97... by Lucas Kanashiro on 2023-03-22: changelog
95521a4... by Lucas Kanashiro on 2023-03-22: Refresh existing patches

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Lucas Kanashiro

git-ubuntu developers

 diff --git a/.github/matrix.py b/.github/matrix.py
 index 2ea3053..3d704ae 100644
 --- a/.github/matrix.py
 +++ b/.github/matrix.py
@@ -8,6 +8,7 @@
  import json
  import sys
++from os import environ
  if len(sys.argv) == 2:
      build_type = sys.argv[1]
@@ -50,7 +51,7 @@ matrix = []
  # Ubuntu
--os = "ubuntu-latest"
++os = "ubuntu-20.04"
  TARGET = "linux-glibc"
  for CC in ["gcc", "clang"]:
      matrix.append(
@@ -125,7 +126,7 @@ for CC in ["gcc", "clang"]:
  # ASAN
--os = "ubuntu-latest"
++os = "ubuntu-20.04"
  CC = "clang"
  TARGET = "linux-glibc"
  matrix.append(
@@ -173,4 +174,6 @@ for CC in ["clang"]:
  print(json.dumps(matrix, indent=4, sort_keys=True))
--print("::set-output name=matrix::{}".format(json.dumps({"include": matrix})))
++if environ.get('GITHUB_OUTPUT') is not None:
++    with open(environ.get('GITHUB_OUTPUT'), 'a') as f:
++        print("matrix={}".format(json.dumps({"include": matrix})), file=f)
 diff --git a/.github/workflows/cross-zoo.yml b/.github/workflows/cross-zoo.yml
 new file mode 100644
 index 0000000..e2a5816
 --- /dev/null
 +++ b/.github/workflows/cross-zoo.yml
@@ -0,0 +1,110 @@
++#
++# this is naamed "zoo" after OpenSSL "cross zoo pipeline"
++#
++name: Cross Compile
++
++on:
++  schedule:
++    - cron: "0 0 21 * *"
++
++permissions:
++  contents: read
++
++jobs:
++  cross-compilation:
++    strategy:
++      matrix:
++        platform: [
++          {
++            arch: aarch64-linux-gnu,
++            libs: libc6-dev-arm64-cross,
++            target: linux-aarch64
++          }, {
++            arch: alpha-linux-gnu,
++            libs: libc6.1-dev-alpha-cross,
++            target: linux-alpha-gcc
++          }, {
++            arch: arm-linux-gnueabi,
++            libs: libc6-dev-armel-cross,
++            target: linux-armv4
++          }, {
++            arch: arm-linux-gnueabihf,
++            libs: libc6-dev-armhf-cross,
++            target: linux-armv4
++          }, {
++            arch: hppa-linux-gnu,
++            libs: libc6-dev-hppa-cross,
++            target: -static linux-generic32
++          }, {
++            arch: m68k-linux-gnu,
++            libs: libc6-dev-m68k-cross,
++            target: -static -m68040 linux-latomic
++          }, {
++            arch: mips-linux-gnu,
++            libs: libc6-dev-mips-cross,
++            target: -static linux-mips32
++          }, {
++            arch: mips64-linux-gnuabi64,
++            libs: libc6-dev-mips64-cross,
++            target: -static linux64-mips64
++          }, {
++            arch: mipsel-linux-gnu,
++            libs: libc6-dev-mipsel-cross,
++            target: linux-mips32
++          }, {
++            arch: powerpc64le-linux-gnu,
++            libs: libc6-dev-ppc64el-cross,
++            target: linux-ppc64le
++          }, {
++            arch: riscv64-linux-gnu,
++            libs: libc6-dev-riscv64-cross,
++            target: linux64-riscv64
++          }, {
++            arch: s390x-linux-gnu,
++            libs: libc6-dev-s390x-cross,
++            target: linux64-s390x
++          }, {
++            arch: sh4-linux-gnu,
++            libs: libc6-dev-sh4-cross,
++            target: no-async linux-latomic
++          }, {
++            arch: hppa-linux-gnu,
++            libs: libc6-dev-hppa-cross,
++            target: linux-generic32,
++          }, {
++            arch: m68k-linux-gnu,
++            libs: libc6-dev-m68k-cross,
++            target: -mcfv4e linux-latomic
++          }, {
++            arch: mips-linux-gnu,
++            libs: libc6-dev-mips-cross,
++            target: linux-mips32
++          }, {
++            arch: mips64-linux-gnuabi64,
++            libs: libc6-dev-mips64-cross,
++            target: linux64-mips64
++          }, {
++            arch: sparc64-linux-gnu,
++            libs: libc6-dev-sparc64-cross,
++            target: linux64-sparcv9
++          }
++        ]
++    runs-on: ubuntu-latest
++    steps:
++    - name: install packages
++      run: |
++        sudo apt-get update
++        sudo apt-get -yq --force-yes install \
++            gcc-${{ matrix.platform.arch }} \
++            ${{ matrix.platform.libs }}
++    - uses: actions/checkout@v2
++
++
++    - name: install quictls
++      run: |
++        QUICTLS_EXTRA_ARGS="--cross-compile-prefix=${{ matrix.platform.arch }}- ${{ matrix.platform.target }}" QUICTLS=yes scripts/build-ssl.sh
++
++    - name: Build
++      run: |
++        make ERR=1 CC=${{ matrix.platform.arch }}-gcc TARGET=linux-glibc USE_LIBCRYPT= USE_OPENSSL=1 USE_QUIC=1 USE_PROMEX=1 SSL_LIB=${HOME}/opt/lib SSL_INC=${HOME}/opt/include ADDLIB="-Wl,-rpath,${HOME}/opt/lib"
++
 diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml
 index 8c838cc..b919418 100644
 --- a/.github/workflows/vtest.yml
 +++ b/.github/workflows/vtest.yml
@@ -49,7 +49,7 @@ jobs:
      - name: Generate cache key
        id: generate-cache-key
        run: |
--        echo "::set-output name=key::$(echo ${{ matrix.name }} | sha256sum | awk '{print $1}')"
++        echo "key=$(echo ${{ matrix.name }} | sha256sum | awk '{print $1}')" >> $GITHUB_OUTPUT
      - name: Cache SSL libs
        if: ${{ matrix.ssl && matrix.ssl != 'stock' && matrix.ssl != 'BORINGSSL=yes' && matrix.ssl != 'QUICTLS=yes' }}
@@ -96,6 +96,9 @@ jobs:
        run: make -C contrib/wurfl
      - name: Compile HAProxy with ${{ matrix.CC }}
        run: |
++        echo "::group::Show compiler's version"
++        echo | ${{ matrix.CC }} -v
++        echo "::endgroup::"
          echo "::group::Show platform specific defines"
          echo | ${{ matrix.CC }} -dM -xc -E -
          echo "::endgroup::"
@@ -119,7 +122,7 @@ jobs:
          fi
          echo "::endgroup::"
          haproxy -vv
--        echo "::set-output name=version::$(haproxy -v |awk 'NR==1{print $3}')"
++        echo "version=$(haproxy -v |awk 'NR==1{print $3}')" >> $GITHUB_OUTPUT
      - name: Install problem matcher for VTest
        # This allows one to more easily see which tests fail.
        run: echo "::add-matcher::.github/vtest.json"
 diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
 index ceac981..0292e09 100644
 --- a/.github/workflows/windows.yml
 +++ b/.github/workflows/windows.yml
@@ -55,9 +55,10 @@ jobs:
            ERR=1 \
            TARGET=${{ matrix.TARGET }} \
            CC=${{ matrix.CC }} \
++          DEBUG_CFLAGS="-g -Wno-deprecated-declarations" \
            ${{ join(matrix.FLAGS, ' ') }}
      - name: Show HAProxy version
        id: show-version
        run: |
          ./haproxy -vv
--        echo "::set-output name=version::$(./haproxy -v |awk 'NR==1{print $3}')"
++        echo "version=$(./haproxy -v |awk 'NR==1{print $3}')" >> $GITHUB_OUTPUT
 diff --git a/CHANGELOG b/CHANGELOG
 index 6ae4bed..4b5713f 100644
 --- a/CHANGELOG
 +++ b/CHANGELOG
@@ -1,6 +1,106 @@
  ChangeLog :
  ===========
++2023/02/14 : 2.0.31
++    - SCRIPTS: announce-release: add a link to the data plane API
++    - CI: github: change "ubuntu-latest" to "ubuntu-20.04"
++    - BUG/MEDIUM: ssl: Verify error codes can exceed 63
++    - BUG/MINOR: ssl: Fix potential overflow
++    - BUG/MEDIUM: mworker: fix segv in early failure of mworker mode with peers
++    - BUG/MEDIUM: resolvers: Use tick_first() to update the resolvers task timeout
++    - LICENSE: wurfl: clarify the dummy library license.
++    - BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream flag set
++    - BUG/MINOR: pool/stats: Use ullong to report total pool usage in bytes in stats
++    - BUILD: makefile: build the features list dynamically
++    - BUILD: makefile: sort the features list
++    - BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is realigned
++    - BUG/MINOR: resolvers: Wait the resolution execution for a do_resolv action
++    - BUG/MINOR: promex: Don't forget to consume the request on error
++    - BUG/MINOR: http-fetch: Don't block HTTP sample fetch eval in HTTP_MSG_ERROR state
++    - BUG/MINOR: http-ana: make set-status also update txn->status
++    - BUG/MEDIUM: ssl: wrong eviction from the session cache tree
++    - BUG/MEDIUM: stick-table: do not leave entries in end of window during purge
++    - BUG/MEDIUM: cache: use the correct time reference when comparing dates
++    - DOC: config: fix option spop-check proxy compatibility
++    - DOC: config: 'http-send-name-header' option may be used in default section
++    - DOC: proxy-protocol: fix wrong byte in provided example
++    - CI: github: don't warn on deprecated openssl functions on windows
++    - BUG/CRITICAL: http: properly reject empty http header field names
++
++2022/12/09 : 2.0.30
++    - CI: determine actual LibreSSL version dynamically
++    - BUILD: fix build warning on solaris based systems with __maybe_unused.
++    - REGTESTS: abortonclose: Fix some race conditions
++    - BUG/MINOR: peers: fix error reporting of "bind" lines
++    - BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
++    - BUG/MEDIUM: peers: fix segfault using multiple bind on peers sections
++    - BUG/MEDIUM: peers: prevent unitialized multiple listeners on peers section
++    - BUG/MEDIUM: sample: Fix adjusting size in word converter
++    - SCRIPTS: add make-releases-json to recreate a releases.json file in download dirs
++    - SCRIPTS: make publish-release try to launch make-releases-json
++    - DOC: peers: indicate that some server settings are not usable
++    - DOC: peers: clarify when entry expiration date is renewed.
++    - DOC: peers: fix port number and addresses on new peers section format
++    - BUG/MINOR: conn_stream: do not confirm a connection from the frontend path
++    - REGTESTS: abortonclose: Add a barrier to not mix up log messages
++    - REGTESTS: http_request_buffer: Increase client timeout to wait "slow" clients
++    - BUILD: compiler: implement unreachable for older compilers too
++    - BUG/MINOR: server: do not enable DNS resolution on disabled proxies
++    - BUG/MINOR: http-ana: Set method to HTTP_METH_OTHER when an HTTP txn is created
++    - BUG/MINOR: http-fetch: Use integer value when possible in "method" sample fetch
++    - BUG/MINOR: peers/config: always fill the bind_conf's argument
++    - BUG/MINOR: peers: fix possible NULL dereferences at config parsing
++    - BUG/MINOR: backend: Fallback on RR algo if balance on source is impossible
++    - BUG/MINOR: sockpair: wrong return value for fd_send_uxst()
++    - BUG/MINOR: ssl: free the fields in srv->ssl_ctx
++    - MINOR: peers: Use a dedicated reconnect timeout when stopping the local peer
++    - BUG/MEDIUM: peers: limit reconnect attempts of the old process on reload
++    - BUG/MINOR: peers: Use right channel flag to consider the peer as connected
++    - MINOR: server: Constify source server to copy its settings
++    - REORG: server: Export srv_settings_cpy() function
++    - BUG/MEDIUM: proxy: Perform a custom copy for default server settings
++    - BUILD: http: silence an uninitialized warning affecting gcc-5
++    - BUG/MEDIUM: mux-h2: do not fiddle with ->dsi to indicate demux is idle
++    - BUG/MINOR: resolvers: return the correct value in resolvers_finalize_config()
++    - DOC: configuration: do-resolve doesn't work with a port in the string
++    - BUG/MEDIUM: spoe: Properly update streams waiting for a ACK in async mode
++    - BUG/MEDIUM: peers: Add connect and server timeut to peers proxy
++    - BUG/MEDIUM: peers: Don't use resync timer when local resync is in progress
++    - BUG/MEDIUM: peers: Don't start resync on reload if local peer is not up-to-date
++    - REGTESTS: http_request_buffer: Add a barrier to not mix up log messages
++    - BUG/MINOR: h1: Support headers case adjustment for TCP proxies
++    - BUG/MINOR: signals/poller: set the poller timeout to 0 when there are signals
++    - BUG/MINOR: signals/poller: ensure wakeup from signals
++    - BUG/MEDIUM: proxy: ensure pause_proxy() and resume_proxy() own PROXY_LOCK
++    - BUG/MEDIUM: captures: free() an error capture out of the proxy lock
++    - SCRIPTS: announce-release: update some URLs to https
++    - BUG/MINOR: log: improper behavior when escaping log data
++    - BUILD: fix compilation for OpenSSL-3.0.0-alpha17
++    - BUILD: cfgparse: Fix GCC warning about a variable used after realloc
++    - BUG/MEDIUM: lua: handle stick table implicit arguments right.
++    - BUG/MINOR: http-fetch: Update method after a prefetch in smp_fetch_meth()
++    - BUILD: http_fetch: silence an uninitiialized warning with gcc-4/5/6 at -Os
++    - DOC: configuration: missing 'if' in tcp-request content example
++    - BUG/MAJOR: stick-tables: do not try to index a server name for applets
++    - CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in matrix.py
++    - CI: Replace the deprecated `::set-output` command by writing to $GITHUB_OUTPUT in workflow definition
++    - DOC: management: add forgotten "show startup-logs"
++    - BUG/MAJOR: stick-table: don't process store-response rules for applets
++    - BUG/MEDIUM: stick-table: fix a race condition when updating the expiration task
++    - CI: add monthly gcc cross compile jobs
++    - CI: emit the compiler's version in the build reports
++    - BUG/MEDIUM: listener: Fix race condition when updating the global mngmt task
++    - BUG/MINOR: http_ana/txn: don't re-initialize txn and req var lists
++    - BUG/MEDIUM: peers: messages about unkown tables not correctly ignored
++    - BUILD: peers: Remove unused variables
++    - BUILD: listener: fix build warning on global_listener_rwlock without threads
++    - DOC: config: provide some configuration hints for "http-reuse"
++    - DOC: config: clarify the fact that SNI should not be used in HTTP scenarios
++    - DOC: config: explain how default matching method for ACL works
++    - DOC: config: clarify the fact that "retries" is not just for connections
++    - DOC: config: clarify the -m dir and -m dom pattern matching methods
++    - Revert "CI: determine actual LibreSSL version dynamically"
++
 /05/13 : 2.0.29
      - BUG/MINOR: tools: fix url2sa return value with IPv4
      - Revert "BUG/MAJOR: mux-pt: Always destroy the backend connection on detach"
 diff --git a/Makefile b/Makefile
 index 7eddac0..bd1042b 100644
 --- a/Makefile
 +++ b/Makefile
@@ -449,7 +449,11 @@ ignore_implicit = $(if $(subst environment,,$(origin $(1))),         \
  # is used to report a list of all flags which were used to build this version.
  # Do not assign anything to it.
  BUILD_OPTIONS  := $(foreach opt,$(use_opts),$(call ignore_implicit,$(opt)))
--BUILD_FEATURES := $(foreach opt,$(patsubst USE_%,%,$(use_opts)),$(if $(USE_$(opt)),+$(opt),-$(opt)))
++
++# Make a list of all known features with +/- prepended depending on their
++# activation status. Must be a macro so that dynamically enabled ones are
++# evaluated with their current status.
++BUILD_FEATURES  = $(foreach opt,$(patsubst USE_%,%,$(sort $(use_opts))),$(if $(USE_$(opt)),+$(opt),-$(opt)))
  # All USE_* options have their equivalent macro defined in the code (some might
  # possibly be unused though)
 diff --git a/SUBVERS b/SUBVERS
 index 50af805..e1824da 100644
 --- a/SUBVERS
 +++ b/SUBVERS
@@ -1,2 +1,2 @@
---5e15b0f
++-c8b1c15
 diff --git a/VERDATE b/VERDATE
 index cba5e36..2f36592 100644
 --- a/VERDATE
 +++ b/VERDATE
@@ -1,2 +1,2 @@
--2022-05-13 17:43:21 +0200
--2022/05/13
++2023-02-14 16:58:28 +0100
++2023/02/14
 diff --git a/VERSION b/VERSION
 index 3df5a46..e235558 100644
 --- a/VERSION
 +++ b/VERSION
@@ -1 +1 @@
--2.0.29
++2.0.31
 diff --git a/contrib/prometheus-exporter/service-prometheus.c b/contrib/prometheus-exporter/service-prometheus.c
 index d420cbc..3cc502c 100644
 --- a/contrib/prometheus-exporter/service-prometheus.c
 +++ b/contrib/prometheus-exporter/service-prometheus.c
@@ -2465,6 +2465,7 @@ static void promex_appctx_handle_io(struct appctx *appctx)
  	res->flags |= CF_READ_NULL;
  	si_shutr(si);
  	si_shutw(si);
++	goto out;
+ }
  struct applet promex_applet = {
 diff --git a/contrib/wurfl/wurfl/wurfl.h b/contrib/wurfl/wurfl/wurfl.h
 index ca512da..4e089c2 100644
 --- a/contrib/wurfl/wurfl/wurfl.h
 +++ b/contrib/wurfl/wurfl/wurfl.h
@@ -4,11 +4,16 @@
   * Copyright (c) ScientiaMobile, Inc.
   * http://www.scientiamobile.com
+  *
-- * This software package is the property of ScientiaMobile Inc. and is licensed
-- * commercially according to a contract between the Licensee and ScientiaMobile Inc. (Licensor).
-- * If you represent the Licensee, please refer to the licensing agreement which has been signed
-- * between the two parties. If you do not represent the Licensee, you are not authorized to use
-- * this software in any way.
++ * This software package is the property of ScientiaMobile Inc. and is distributed under
++ * a dual licensing scheme:
++ *
++ * 1) commercially according to a contract between the Licensee and ScientiaMobile Inc. (Licensor).
++ *    If you represent the Licensee, please refer to the licensing agreement which has been signed
++ *    between the two parties. If you do not represent the Licensee, you are not authorized to use
++ *    this software in any way.
++ *
++ * 2) LGPL when used in the context of the HAProxy project with the purpose of testing compatibility
++ *    of HAProxy with ScientiaMobile software.
+  *
   */
 diff --git a/debian/changelog b/debian/changelog
 index 2e61d7f..5e79222 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,21 @@
++haproxy (2.0.31-0ubuntu0.1) focal; urgency=medium
++
++  * New upstream release (LP: #2012557).
++    - Major and critical bug fixes according to the upstream changelog:
++      + BUG/MAJOR: stick-tables: do not try to index a server name for applets
++      + BUG/MAJOR: stick-table: don't process store-response rules for applets
++      + BUG/MAJOR: buf: Fix copy of wrapping output data when a buffer is
++        realigned
++      + BUG/CRITICAL: http: properly reject empty http header field names
++    - Remove patches applied by upstream in debian/patches:
++      + CVE-2023-0056.patch
++      + CVE-2023-25725.patch
++    - Refresh existing patches in debian/patches:
++      + 0002-Use-dpkg-buildflags-to-build-halog.patch
++      + haproxy.service-add-documentation.patch
++
++ -- Lucas Kanashiro <kanashiro@ubuntu.com>  Wed, 22 Mar 2023 17:39:46 -0300
++
  haproxy (2.0.29-0ubuntu1.3) focal-security; urgency=medium
    * SECURITY UPDATE: incorrect handling of empty http header field names
 diff --git a/debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch b/debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch
 index a039316..94e1fb1 100644
 --- a/debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch
 +++ b/debian/patches/0002-Use-dpkg-buildflags-to-build-halog.patch
@@ -8,8 +8,6 @@ Last-Update: 2013-07-02
   contrib/halog/Makefile | 16 +++++-----------
 file changed, 5 insertions(+), 11 deletions(-)
--diff --git a/contrib/halog/Makefile b/contrib/halog/Makefile
--index 5e687c0..ab34027 100644
  --- a/contrib/halog/Makefile
  +++ b/contrib/halog/Makefile
@@ -1,22 +1,16 @@
 diff --git a/debian/patches/CVE-2023-0056.patch b/debian/patches/CVE-2023-0056.patch
 deleted file mode 100644
 index a10f21b..0000000
 --- a/debian/patches/CVE-2023-0056.patch
 +++ /dev/null
@@ -1,39 +0,0 @@
--Backport of:
--
--From 827a6299e6995c5c3ba620d8b7cbacdaef67f2c4 Mon Sep 17 00:00:00 2001
--From: Christopher Faulet <cfaulet@haproxy.com>
--Date: Thu, 22 Dec 2022 09:47:01 +0100
--Subject: [PATCH] BUG/MEDIUM: mux-h2: Refuse interim responses with end-stream
-- flag set
--
--As state in RFC9113#8.1, HEADERS frame with the ES flag set that carries an
--informational status code is malformed. However, there is no test on this
--condition.
--
--On 2.4 and higher, it is hard to predict consequences of this bug because
--end of the message is only reported with a flag. But on 2.2 and lower, it
--leads to a crash because there is an unexpected extra EOM block at the end
--of an interim response.
--
--Now, when a ES flag is detected on a HEADERS frame for an interim message, a
--stream error is sent (RST_STREAM/PROTOCOL_ERROR).
--
--This patch should solve the issue #1972. It should be backported as far as
--2.0.
-----
-- src/mux_h2.c | 5 +++++
-- 1 file changed, 5 insertions(+)
--
----- a/src/mux_h2.c
--+++ b/src/mux_h2.c
--@@ -3935,6 +3935,10 @@ next_frame:
-- 		*flags |= H2_SF_HEADERS_RCVD;
--
-- 	if ((h2c->dff & H2_F_HEADERS_END_STREAM)) {
--+		if (msgf & H2_MSGF_RSP_1XX) {
--+			/* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
--+			goto fail;
--+		}
-- 		/* Mark the end of message, either using EOM in HTX or with the
-- 		 * trailing CRLF after the end of trailers. Note that DATA_CHNK
-- 		 * is not set during headers with END_STREAM. For HTX trailers,
 diff --git a/debian/patches/CVE-2023-25725.patch b/debian/patches/CVE-2023-25725.patch
 deleted file mode 100644
 index e57d84b..0000000
 --- a/debian/patches/CVE-2023-25725.patch
 +++ /dev/null
@@ -1,175 +0,0 @@
--From 7382253d6a3636fa85510063bdcc9f2e8f8f696d Mon Sep 17 00:00:00 2001
--From: Willy Tarreau <w@1wt.eu>
--Date: Thu, 9 Feb 2023 21:36:54 +0100
--Subject: BUG/CRITICAL: http: properly reject empty http header field names
--
--The HTTP header parsers surprizingly accepts empty header field names,
--and this is a leftover from the original code that was agnostic to this.
--
--When muxes were introduced, for H2 first, the HPACK decompressor needed
--to feed headers lists, and since empty header names were strictly
--forbidden by the protocol, the lists of headers were purposely designed
--to be terminated by an empty header field name (a principle that is
--similar to H1's empty line termination). This principle was preserved
--and generalized to other protocols migrated to muxes (H1/FCGI/H3 etc)
--without anyone ever noticing that the H1 parser was still able to deliver
--empty header field names to this list. In addition to this it turns out
--that the HPACK decompressor, despite a comment in the code, may
--successfully decompress an empty header field name, and this mistake
--was propagated to the QPACK decompressor as well.
--
--The impact is that an empty header field name may be used to truncate
--the list of headers and thus make some headers disappear. While for
--H2/H3 the impact is limited as haproxy sees a request with missing
--headers, and headers are not used to delimit messages, in the case of
--HTTP/1, the impact is significant because the presence (and sometimes
--contents) of certain sensitive headers is detected during the parsing.
--Thus, some of these headers may be seen, marked as present, their value
--extracted, but never delivered to upper layers and obviously not
--forwarded to the other side either. This can have for consequence that
--certain important header fields such as Connection, Upgrade, Host,
--Content-length, Transfer-Encoding etc are possibly seen as different
--between what haproxy uses to parse/forward/route and what is observed
--in http-request rules and of course, forwarded. One direct consequence
--is that it is possible to exploit this property in HTTP/1 to make
--affected versions of haproxy forward more data than is advertised on
--the other side, and bypass some access controls or routing rules by
--crafting extraneous requests.  Note, however, that responses to such
--requests will normally not be passed back to the client, but this can
--still cause some harm.
--
--This specific risk can be mostly worked around in configuration using
--the following rule that will rely on the bug's impact to precisely
--detect the inconsistency between the known body size and the one
--expected to be advertised to the server (the rule works from 2.0 to
--2.8-dev):
--
--  http-request deny if { fc_http_major 1 } !{ req.body_size 0 } !{ req.hdr(content-length) -m found } !{ req.hdr(transfer-encoding) -m found } !{ method CONNECT }
--
--This will exclusively block such carefully crafted requests delivered
--over HTTP/1. HTTP/2 and HTTP/3 do not need content-length, and a body
--that arrives without being announced with a content-length will be
--forwarded using transfer-encoding, hence will not cause discrepancies.
--In HAProxy 2.0 in legacy mode ("no option http-use-htx"), this rule will
--simply have no effect but will not cause trouble either.
--
--A clean solution would consist in modifying the loops iterating over
--these headers lists to check the header name's pointer instead of its
--length (since both are zero at the end of the list), but this requires
--to touch tens of places and it's very easy to miss one. Functions such
--as htx_add_header(), htx_add_trailer(), htx_add_all_headers() would be
--good starting points for such a possible future change.
--
--Instead the current fix focuses on blocking empty headers where they
--are first inserted, hence in the H1/HPACK/QPACK decoders. One benefit
--of the current solution (for H1) is that it allows "show errors" to
--report a precise diagnostic when facing such invalid HTTP/1 requests,
--with the exact location of the problem and the originating address:
--
--  $ printf "GET / HTTP/1.1\r\nHost: localhost\r\n:empty header\r\n\r\n" | nc 0 8001
--  HTTP/1.1 400 Bad request
--  Content-length: 90
--  Cache-Control: no-cache
--  Connection: close
--  Content-Type: text/html
--
--  <html><body><h1>400 Bad request</h1>
--  Your browser sent an invalid request.
--  </body></html>
--
--  $ socat /var/run/haproxy.stat <<< "show errors"
--  Total events captured on [10/Feb/2023:16:29:37.530] : 1
--
--  [10/Feb/2023:16:29:34.155] frontend decrypt (#2): invalid request
--    backend <NONE> (#-1), server <NONE> (#-1), event #0, src 127.0.0.1:31092
--    buffer starts at 0 (including 0 out), 16334 free,
--    len 50, wraps at 16336, error at position 33
--    H1 connection flags 0x00000000, H1 stream flags 0x00000810
--    H1 msg state MSG_HDR_NAME(17), H1 msg flags 0x00001410
--    H1 chunk len 0 bytes, H1 body len 0 bytes :
--
--    00000  GET / HTTP/1.1\r\n
--    00016  Host: localhost\r\n
--    00033  :empty header\r\n
--    00048  \r\n
--
--I want to address sincere and warm thanks for their great work to the
--team composed of the following security researchers who found the issue
--together and reported it: Bahruz Jabiyev, Anthony Gavazzi, and Engin
--Kirda from Northeastern University, Kaan Onarlioglu from Akamai
--Technologies, Adi Peleg and Harvey Tuch from Google. And kudos to Amaury
--Denoyelle from HAProxy Technologies for spotting that the HPACK and
--QPACK decoders would let this pass despite the comment explicitly
--saying otherwise.
--
--This fix must be backported as far as 2.0. The QPACK changes can be
--dropped before 2.6. In 2.0 there is also the equivalent code for legacy
--mode, which doesn't suffer from the list truncation, but it would better
--be fixed regardless.
--
--CVE-2023-25725 was assigned to this issue.
--
-----
-- src/h1.c        | 4 ++++
-- src/hpack-dec.c | 9 +++++++++
-- src/http_msg.c  | 8 +++++++-
-- 3 files changed, 20 insertions(+), 1 deletion(-)
--
--diff --git a/src/h1.c b/src/h1.c
--index 3839fbe97..69a7cedcb 100644
----- a/src/h1.c
--+++ b/src/h1.c
--@@ -672,6 +672,10 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
--
-- 		if (likely(*ptr == ':')) {
-- 			col = ptr - start;
--+			if (col <= sol) {
--+				state = H1_MSG_HDR_NAME;
--+				goto http_msg_invalid;
--+			}
-- 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_l1_sp, http_msg_ood, state, H1_MSG_HDR_L1_SP);
-- 		}
--
--diff --git a/src/hpack-dec.c b/src/hpack-dec.c
--index 7f3e7624b..0fc71ebeb 100644
----- a/src/hpack-dec.c
--+++ b/src/hpack-dec.c
--@@ -425,6 +425,15 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
-- 			/* <name> and <value> are correctly filled here */
-- 		}
--
--+		/* We must not accept empty header names (forbidden by the spec and used
--+		 * as a list termination).
--+		 */
--+		if (!name.len) {
--+			hpack_debug_printf("##ERR@%d##\n", __LINE__);
--+			ret = -HPACK_ERR_INVALID_ARGUMENT;
--+			goto leave;
--+		}
--+
-- 		/* here's what we have here :
-- 		 *   - name.len > 0
-- 		 *   - value is filled with either const data or data allocated from tmp
--diff --git a/src/http_msg.c b/src/http_msg.c
--index 067a7f863..e07c81c67 100644
----- a/src/http_msg.c
--+++ b/src/http_msg.c
--@@ -1006,8 +1006,14 @@ void http_msg_analyzer(struct http_msg *msg, struct hdr_idx *idx)
-- 		if (likely(HTTP_IS_TOKEN(*ptr)))
-- 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_name, http_msg_ood, state, HTTP_MSG_HDR_NAME);
--
---		if (likely(*ptr == ':'))
--+		if (likely(*ptr == ':')) {
--+			if (ptr == input + msg->sol) {
--+				/* empty header names are not permitted */
--+				state = HTTP_MSG_HDR_NAME;
--+				goto http_msg_invalid;
--+			}
-- 			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_l1_sp, http_msg_ood, state, HTTP_MSG_HDR_L1_SP);
--+		}
--
-- 		if (likely(msg->err_pos < -1) || *ptr == '\n') {
-- 			state = HTTP_MSG_HDR_NAME;
----
--2.35.3
--
 diff --git a/debian/patches/haproxy.service-add-documentation.patch b/debian/patches/haproxy.service-add-documentation.patch
 index 1ebd2f1..023cb17 100644
 --- a/debian/patches/haproxy.service-add-documentation.patch
 +++ b/debian/patches/haproxy.service-add-documentation.patch
@@ -11,11 +11,11 @@ Last-Update: 2022-08-26
  --- a/contrib/systemd/haproxy.service.in
  +++ b/contrib/systemd/haproxy.service.in
--@@ -1,5 +1,7 @@
++@@ -1,6 +1,6 @@
   [Unit]
   Description=HAProxy Load Balancer
--+Documentation=man:haproxy(1)
--+Documentation=file:/usr/share/doc/haproxy/configuration.txt.gz
-- After=network-online.target rsyslog.service
++-After=network-online.target rsyslog.service
+++After=network-online.target
   Wants=network-online.target
++ [Service]
 diff --git a/debian/patches/series b/debian/patches/series
 index f7b2e27..0945bb0 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1,5 +1,3 @@
 -Use-dpkg-buildflags-to-build-halog.patch
  haproxy.service-start-after-syslog.patch
  haproxy.service-add-documentation.patch
--CVE-2023-0056.patch
--CVE-2023-25725.patch
 diff --git a/doc/configuration.txt b/doc/configuration.txt
 index 4394d07..4c7c59e 100644
 --- a/doc/configuration.txt
 +++ b/doc/configuration.txt
@@ -3,7 +3,7 @@
                            Configuration Manual
                           ----------------------
                                version 2.0
--                              2022/05/13
++                              2023/02/14
  This document covers the configuration language as implemented in the version
@@ -2106,9 +2106,10 @@ default-server [param*]
    Arguments:
      <param*>  is a list of parameters for this server. The "default-server"
                keyword accepts an important number of options and has a complete
--              section dedicated to it. Please refer to section 5 for more
--              details.
--
++              section dedicated to it. In a peers section, the transport
++              parameters of a "default-server" line are supported. Please refer
++              to section 5 for more details, and the "server" keyword below in
++              this section for some of the restrictions.
    See also: "server" and section 5 about server options
@@ -2140,12 +2141,16 @@ peer <peername> <ip>:<port> [param*]
  server <peername> [<ip>:<port>] [param*]
    As previously mentioned, "peer" keyword may be replaced by "server" keyword
--  with a support for all "server" parameters found in 5.2 paragraph.
--  If the underlying peer is local, <ip>:<port> parameters must not be present.
--  These parameters must  be provided on a "bind" line (see "bind" keyword
--  of this "peers" section).
--  Some of these parameters are irrelevant for "peers" sections.
++  with a support for all "server" parameters found in 5.2 paragraph that are
++  related to transport settings. If the underlying peer is local, <ip>:<port>
++  parameters must not be present; these parameters must be provided on a "bind"
++  line (see "bind" keyword of this "peers" section).
++  A number of "server" parameters are irrelevant for "peers" sections. Peers by
++  nature do not support dynamic host name resolution nor health checks, hence
++  parameters like "init_addr", "resolvers", "check", "agent-check", or "track"
++  are not supported. Similarly, there is no load balancing nor stickiness, thus
++  parameters such as "weight" or "cookie" have no effect.
    Example:
      # The old way.
@@ -2165,10 +2170,11 @@ server <peername> [<ip>:<port>] [param*]
     Example:
       peers mypeers
--         bind 127.0.0.11:10001 ssl crt mycerts/pem
--         default-server ssl verify none
--         server hostA  127.0.0.10:10000
--         server hostB  #local peer
++        bind 192.168.0.1:1024 ssl crt mycerts/pem
++        default-server ssl verify none
++        server haproxy1 #local peer
++        server haproxy2 192.168.0.2:1024
++        server haproxy3 10.2.0.1:1024
  table <tablename> type {ip | integer | string [len <length>] | binary [len <length>]}
@@ -2433,7 +2439,7 @@ http-check send-state                     X          -         X         X
  http-request                              -          X         X         X
  http-response                             -          X         X         X
  http-reuse                                X          -         X         X
--http-send-name-header                     -          -         X         X
++http-send-name-header                     X          -         X         X
  id                                        -          X         X         X
  ignore-persist                            -          -         X         X
  load-server-state-from-file               X          -         X         X
@@ -2493,7 +2499,7 @@ option socket-stats                  (*)  X          X         X         -
  option splice-auto                   (*)  X          X         X         X
  option splice-request                (*)  X          X         X         X
  option splice-response               (*)  X          X         X         X
--option spop-check                         -          -         -         X
++option spop-check                         X          -         X         X
  option srvtcpka                      (*)  X          -         X         X
  option ssl-hello-chk                      X          -         X         X
  -- keyword -------------------------- defaults - frontend - listen -- backend -
@@ -4466,7 +4472,8 @@ http-request do-resolve(<var>,<resolvers>,[ipv4,ipv6]) <expr> :
    based on information found in the request (IE a Host header).
    If this action is used to find the server's IP address (using the
    "set-dst" action), then the server IP address in the backend must be set
--  to 0.0.0.0.
++  to 0.0.0.0. The do-resolve action takes an host-only parameter, any port must
++  be removed from the string.
    Example:
      resolvers mydns
@@ -4481,7 +4488,7 @@ http-request do-resolve(<var>,<resolvers>,[ipv4,ipv6]) <expr> :
      frontend fe
        bind 10.42.0.1:80
--      http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
++      http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower,regsub(:[0-9]*$,)
        http-request capture var(txn.myip) len 40
        # return 503 when the variable is not set,
@@ -5420,7 +5427,26 @@ http-reuse { never | safe | aggressive | always }
    because almost no new connection will be established while idle connections
    remain available. This is particularly true with the "always" strategy.
--  See also : "option http-keep-alive", "server maxconn"
++  The rules to decide to keep an idle connection opened or to close it after
++  processing are also governed by the "tune.pool-low-fd-ratio" (default: 20%)
++  and "tune.pool-high-fd-ratio" (default: 25%). These correspond to the
++  percentage of total file descriptors spent in idle connections above which
++  haproxy will respectively refrain from keeping a connection opened after a
++  response, and actively kill idle connections. Some setups using a very high
++  ratio of idle connections, either because of too low a global "maxconn", or
++  due to a lot of HTTP/2 or HTTP/3 traffic on the frontend (few connections)
++  but HTTP/1 connections on the backend, may observe a lower reuse rate because
++  too few connections are kept open. It may be desirable in this case to adjust
++  such thresholds or simply to increase the global "maxconn" value.
++
++  Similarly, when thread groups are explicitly enabled, it is important to
++  understand that idle connections are only usable between threads from a same
++  group. As such it may happen that unfair load between groups leads to more
++  idle connections being needed, causing a lower reuse rate. The same solution
++  may then be applied (increase global "maxconn" or increase pool ratios).
++
++  See also : "option http-keep-alive", "server maxconn", "thread-groups",
++             "tune.pool-high-fd-ratio", "tune.pool-low-fd-ratio"
  http-send-name-header [<header>]
@@ -7490,7 +7516,7 @@ no option splice-response
  option spop-check
    Use SPOP health checks for server testing
    May be used in sections :   defaults | frontend | listen | backend
--                                 no    |    no    |   no   |   yes
++                                 yes   |    no    |   yes  |   yes
    Arguments : none
    It is possible to test that the server correctly talks SPOP protocol instead
@@ -8333,24 +8359,26 @@ reqitarpit <search> [{if | unless} <cond>] (ignore case) (deprecated)
  retries <value>
--  Set the number of retries to perform on a server after a connection failure
++  Set the number of retries to perform on a server after a failure
    May be used in sections:    defaults | frontend | listen | backend
                                   yes   |    no    |   yes  |   yes
    Arguments :
--    <value>   is the number of times a connection attempt should be retried on
--              a server when a connection either is refused or times out. The
--              default value is 3.
++    <value>   is the number of times a request or connection attempt should be
++              retried on a server after a failure.
--  It is important to understand that this value applies to the number of
--  connection attempts, not full requests. When a connection has effectively
--  been established to a server, there will be no more retry.
++  By default, retries apply only to new connection attempts. However, when
++  the "retry-on" directive is used, other conditions might trigger a retry
++  (e.g. empty response, undesired status code), and each of them will count
++  one attempt, and when the total number attempts reaches the value here, an
++  error will be returned.
    In order to avoid immediate reconnections to a server which is restarting,
    a turn-around timer of min("timeout connect", one second) is applied before
--  a retry occurs.
++  a retry occurs on the same server.
--  When "option redispatch" is set, the last retry may be performed on another
--  server even if a cookie references a different server.
++  When "option redispatch" is set, some retries may be performed on another
++  server even if a cookie references a different server. By default this will
++  only be the last retry unless an argument is passed to "option redispatch".
    See also : "option redispatch"
@@ -9607,13 +9635,16 @@ stick-table type {ip | integer | string [len <length>] | binary [len <length>]}
                        belonging to the same unique process.
      <expire>   defines the maximum duration of an entry in the table since it
--               was last created, refreshed or matched. The expiration delay is
++               was last created, refreshed using 'track-sc' or matched using
++               'stick match' or 'stick on' rule. The expiration delay is
                 defined using the standard time format, similarly as the various
                 timeouts. The maximum duration is slightly above 24 days. See
                 section 2.4 for more information. If this delay is not specified,
                 the session won't automatically expire, but older entries will
                 be removed once full. Be sure not to use the "nopurge" parameter
                 if not expiration delay is specified.
++               Note: 'table_*' converters performs lookups but won't update touch
++               expire since they don't require 'track-sc'.
     <data_type> is used to store additional information in the stick-table. This
                 may be used by ACLs in order to control various criteria related
@@ -10448,7 +10479,7 @@ tcp-request content <action> [{if | unless} <condition>]
    evaluated.
    Example:
--    tcp-request content use-service lua.deny { src -f /etc/haproxy/blacklist.lst }
++    tcp-request content use-service lua.deny if { src -f /etc/haproxy/blacklist.lst }
    Example:
@@ -12880,8 +12911,10 @@ sni <expression>
    The "sni" parameter evaluates the sample fetch expression, converts it to a
    string and uses the result as the host name sent in the SNI TLS extension to
    the server. A typical use case is to send the SNI received from the client in
--  a bridged HTTPS scenario, using the "ssl_fc_sni" sample fetch for the
--  expression, though alternatives such as req.hdr(host) can also make sense. If
++  a bridged TCP/SSL scenario, using the "ssl_fc_sni" sample fetch for the
++  expression. THIS MUST NOT BE USED FOR HTTPS, where req.hdr(host) should be
++  used instead, since SNI in HTTPS must always match the Host field and clients
++  are allowed to use different host names over the same connection). If
    "verify required" is set (which is the recommended setting), the resulting
    name will also be matched against the server certificate's names. See the
    "verify" directive for more details. If you want to set a SNI for health
@@ -13520,7 +13553,11 @@ possible to convert the sample to lowercase before matching, like this :
  All ACL-specific criteria imply a default matching method. Most often, these
  criteria are composed by concatenating the name of the original sample fetch
  method and the matching method. For example, "hdr_beg" applies the "beg" match
--to samples retrieved using the "hdr" fetch method. Since all ACL-specific
++to samples retrieved using the "hdr" fetch method. This matching method is only
++usable when the keyword is used alone, without any converter. In case any such
++converter were to be applied after such an ACL keyword, the default matching
++method from the ACL keyword is simply ignored since what will matter for the
++matching is the output type of the last converter. Since all ACL-specific
  criteria rely on a sample fetch method, it is always possible instead to use
  the original sample fetch method and the explicit matching method using "-m".
@@ -13646,13 +13683,24 @@ different forms :
    - suffix match    (-m end) : the patterns are compared with the end of the
      extracted string, and the ACL matches if any of them matches.
--  - subdir match    (-m dir) : the patterns are looked up inside the extracted
--    string, delimited with slashes ("/"), and the ACL matches if any of them
--    matches.
--
--  - domain match    (-m dom) : the patterns are looked up inside the extracted
--    string, delimited with dots ("."), and the ACL matches if any of them
--    matches.
++  - subdir match    (-m dir) : the patterns are looked up anywhere inside the
++    extracted string, delimited with slashes ("/"), the beginning or the end
++    of the string. The ACL matches if any of them matches. As such, the string
++    "/images/png/logo/32x32.png", would match "/images", "/images/png",
++    "images/png", "/png/logo", "logo/32x32.png" or "32x32.png" but not "png"
++    nor "32x32".
++
++  - domain match    (-m dom) : the patterns are looked up anywhere inside the
++    extracted string, delimited with dots ("."), colons (":"), slashes ("/"),
++    question marks ("?"), the beginning or the end of the string. This is made
++    to be used with URLs. Leading and trailing delimiters in the pattern are
++    ignored. The ACL matches if any of them matches. As such, in the example
++    string "http://www1.dc-eu.example.com:80/blah", the patterns "http",
++    "www1", ".www1", "dc-eu", "example", "com", "80", "dc-eu.example",
++    "blah", ":www1:", "dc-eu.example:80" would match, but not "eu" nor "dc".
++    Using it to match domain suffixes for filtering or routing is generally
++    not a good idea, as the routing could easily be fooled by prepending the
++    matching prefix in front of another domain for example.
  String matching applies to verbatim strings as they are passed, with the
  exception of the backslash ("\") which makes it possible to escape some
@@ -16168,6 +16216,16 @@ ssl_fc_sni : string
    requires that the SSL library is built with support for TLS extensions
    enabled (check haproxy -vv).
++  CAUTION! Except under very specific conditions, it is normally not correct to
++  use this field as a substitute for the HTTP "Host" header field. For example,
++  when forwarding an HTTPS connection to a server, the SNI field must be set
++  from the HTTP Host header field using "req.hdr(host)" and not from the front
++  SNI value. The reason is that SNI is solely used to select the certificate
++  the server side will present, and that clients are then allowed to send
++  requests with different Host values as long as they match the names in the
++  certificate. As such, "ssl_fc_sni" should normally not be used as an argument
++  to the "sni" server keyword, unless the backend works in TCP mode.
++
    ACL derivatives :
      ssl_fc_sni_end : suffix match
      ssl_fc_sni_reg : regex match
 diff --git a/doc/management.txt b/doc/management.txt
 index 337cc14..f90110b 100644
 --- a/doc/management.txt
 +++ b/doc/management.txt
@@ -2458,6 +2458,10 @@ show stat [{<iid>|<proxy>} <type> <sid>] [typed|json]
    $ echo "show stat json" | socat /var/run/haproxy.sock stdio | \
      python -m json.tool
++show startup-logs
++  Dump all messages emitted during the startup of the current haproxy process,
++  each startup-logs buffer is unique to its haproxy worker.
++
  show table
    Dump general information on all known stick-tables. Their name is returned
    (the name of the proxy which holds them), their type (currently zero, always
 diff --git a/doc/proxy-protocol.txt b/doc/proxy-protocol.txt
 index ff64c8b..45bafe3 100644
 --- a/doc/proxy-protocol.txt
 +++ b/doc/proxy-protocol.txt
@@ -500,7 +500,7 @@ protocol. Identifying the protocol version is easy :
      - if the incoming byte count is 16 or above and the 13 first bytes match
        the protocol signature block followed by the protocol version 2 :
--           \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x02
++           \x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A\x20
      - otherwise, if the incoming byte count is 8 or above, and the 5 first
        characters match the US-ASCII representation of "PROXY" then the protocol
 diff --git a/include/common/buf.h b/include/common/buf.h
 index 1ee6420..3770b9a 100644
 --- a/include/common/buf.h
 +++ b/include/common/buf.h
@@ -469,7 +469,7 @@ static inline void b_slow_realign(struct buffer *b, char *swap, size_t output)
  	/* process output data in two steps to cover wrapping */
  	if (block1 > b_size(b) - b_head_ofs(b)) {
--		block2 = b_size(b) - b_head_ofs(b);
++		block2 = b_peek_ofs(b, block1);
  		block1 -= block2;
+ 	}
  	memcpy(swap + b_size(b) - output, b_head(b), block1);
 diff --git a/include/common/compiler.h b/include/common/compiler.h
 index c023c9d..4b76cec 100644
 --- a/include/common/compiler.h
 +++ b/include/common/compiler.h
@@ -77,10 +77,12 @@
  #endif
  #endif
++#ifndef __maybe_unused
  /* silence the "unused" warnings without having to place painful #ifdefs.
   * For use with variables or functions.
   */
  #define __maybe_unused __attribute__((unused))
++#endif
  /* This allows gcc to know that some locations are never reached, for example
   * after a longjmp() in the Lua code, hence that some errors caught by such
@@ -91,7 +93,7 @@
  #if __GNUC__ >= 5 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 5)
  #define my_unreachable() __builtin_unreachable()
  #else
--#define my_unreachable()
++#define my_unreachable() do { } while (1)
  #endif
  /* This macro may be used to block constant propagation that lets the compiler
 diff --git a/include/common/memory.h b/include/common/memory.h
 index 6c0b137..ee3b7f0 100644
 --- a/include/common/memory.h
 +++ b/include/common/memory.h
@@ -131,8 +131,8 @@ void create_pool_callback(struct pool_head **ptr, char *name, unsigned int size)
  void dump_pools_to_trash();
  void dump_pools(void);
  int pool_total_failures();
--unsigned long pool_total_allocated();
--unsigned long pool_total_used();
++unsigned long long pool_total_allocated();
++unsigned long long pool_total_used();
  /*
   * This function frees whatever can be freed in pool <pool>.
 diff --git a/include/common/standard.h b/include/common/standard.h
 index 38e2bb7..49b72c8 100644
 --- a/include/common/standard.h
 +++ b/include/common/standard.h
@@ -498,7 +498,8 @@ char *encode_chunk(char *start, char *stop,
  /*
   * Tries to prefix characters tagged in the <map> with the <escape>
-- * character. The input <string> must be zero-terminated. The result will
++ * character. The input <string> is processed until string_stop
++ * is reached or NULL-byte is encountered. The result will
   * be stored between <start> (included) and <stop> (excluded). This
   * function will always try to terminate the resulting string with a '\0'
   * before <stop>, and will return its position if the conversion
@@ -506,7 +507,7 @@ char *encode_chunk(char *start, char *stop,
   */
  char *escape_string(char *start, char *stop,
  		    const char escape, const long *map,
--		    const char *string);
++		    const char *string, const char *string_stop);
  /*
   * Tries to prefix characters tagged in the <map> with the <escape>
 diff --git a/include/proto/server.h b/include/proto/server.h
 index 8934075..7f8c725 100644
 --- a/include/proto/server.h
 +++ b/include/proto/server.h
@@ -46,6 +46,7 @@ extern struct list toremove_connections[MAX_THREADS];
  int srv_downtime(const struct server *s);
  int srv_lastsession(const struct server *s);
  int srv_getinter(const struct check *check);
++void srv_settings_cpy(struct server *srv, const struct server *src, int srv_tmpl);
  int parse_server(const char *file, int linenum, char **args, struct proxy *curproxy, struct proxy *defproxy, int parse_addr, int in_peers_section, int initial_resolve);
  int update_server_addr(struct server *s, void *ip, int ip_sin_family, const char *updater);
  const char *update_server_addr_port(struct server *s, const char *addr, const char *port, char *updater);
 diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
 index d6d01a7..f23cbdc 100644
 --- a/include/proto/ssl_sock.h
 +++ b/include/proto/ssl_sock.h
@@ -102,6 +102,31 @@ void ssl_async_fd_free(int fd);
  #define sh_ssl_sess_tree_lookup(k)     (struct sh_ssl_sess_hdr *)ebmb_lookup(sh_ssl_sess_tree, \
                                                                      (k), SSL_MAX_SSL_SESSION_ID_LENGTH);
++
++static inline int cert_ignerr_bitfield_get(const unsigned long long *bitfield, int bit_index)
++{
++	int byte_index = bit_index >> 6;
++	int val = 0;
++
++	if (byte_index < IGNERR_BF_SIZE)
++		val = bitfield[byte_index] & (1ULL << (bit_index & 0x3F));
++
++	return val != 0;
++}
++
++static inline void cert_ignerr_bitfield_set(unsigned long long *bitfield, int bit_index)
++{
++	int byte_index = bit_index >> 6;
++
++	if (byte_index < IGNERR_BF_SIZE)
++		bitfield[byte_index] |= (1ULL << (bit_index & 0x3F));
++}
++
++static inline void cert_ignerr_bitfield_set_all(unsigned long long *bitfield)
++{
++	memset(bitfield, -1, IGNERR_BF_SIZE*sizeof(*bitfield));
++}
++
  #endif /* USE_OPENSSL */
  #endif /* _PROTO_SSL_SOCK_H */
 diff --git a/include/types/global.h b/include/types/global.h
 index eab3345..a505009 100644
 --- a/include/types/global.h
 +++ b/include/types/global.h
@@ -240,6 +240,7 @@ extern char hostname[MAX_HOSTNAME_LEN];
  extern char localpeer[MAX_HOSTNAME_LEN];
  extern struct list global_listener_queue; /* list of the temporarily limited listeners */
  extern struct task *global_listener_queue_task;
++__decl_hathreads(extern HA_RWLOCK_T global_listener_rwlock);
  extern unsigned int warned;     /* bitfield of a few warnings to emit just once */
  extern volatile unsigned long sleeping_thread_mask;
  extern struct list proc_list; /* list of process in mworker mode */
 diff --git a/include/types/listener.h b/include/types/listener.h
 index def48b0..10464fa 100644
 --- a/include/types/listener.h
 +++ b/include/types/listener.h
@@ -139,12 +139,21 @@ struct ssl_bind_conf {
  #endif
  };
++/*
++ * In OpenSSL 3.0.0, the biggest verify error code's value is 94 and on the
++ * latest 1.1.1 it already reaches 79 so we need to size the ca/crt-ignore-err
++ * arrays accordingly. If the max error code increases, the arrays might need to
++ * be resized.
++ */
++#define SSL_MAX_VFY_ERROR_CODE 94
++#define IGNERR_BF_SIZE ((SSL_MAX_VFY_ERROR_CODE >> 6) + 1)
++
  /* "bind" line settings */
  struct bind_conf {
  #ifdef USE_OPENSSL
  	struct ssl_bind_conf ssl_conf; /* ssl conf for ctx setting */
--	unsigned long long ca_ignerr;  /* ignored verify errors in handshake if depth > 0 */
--	unsigned long long crt_ignerr; /* ignored verify errors in handshake if depth == 0 */
++	unsigned long long ca_ignerr_bitfield[IGNERR_BF_SIZE];   /* ignored verify errors in handshake if depth > 0 */
++	unsigned long long crt_ignerr_bitfield[IGNERR_BF_SIZE];  /* ignored verify errors in handshake if depth == 0 */
  	SSL_CTX *initial_ctx;      /* SSL context for initial negotiation */
  	SSL_CTX *default_ctx;      /* SSL context of first/default certificate */
  	struct ssl_bind_conf *default_ssl_conf; /* custom SSL conf of default_ctx */
 diff --git a/reg-tests/http-messaging/http_abortonclose.vtc b/reg-tests/http-messaging/http_abortonclose.vtc
 index 733242b..b6066ba 100644
 --- a/reg-tests/http-messaging/http_abortonclose.vtc
 +++ b/reg-tests/http-messaging/http_abortonclose.vtc
@@ -7,10 +7,12 @@ feature ignore_unknown_macro
  #REQUIRE_VERSION=2.0
  #REGTEST_TYPE=slow
++# b0 : Wait s1 was detected as DOWN to be sure it is stopped
  # b1 : Don't send /c4 before /c3 was received by s2 server
  # b2 : Don't finish c2 before c1 and c3 before c4 (from syslog POV)
  # b3 : finish c3 before s2
++barrier b0 cond 2 -cyclic
  barrier b1 cond 2 -cyclic
  barrier b2 cond 2 -cyclic
  barrier b3 cond 2 -cyclic
@@ -32,12 +34,16 @@ server s2 {
  } -start
  syslog S -level info {
++    recv alert
++    expect ~ "[^:\\[ ]*\\[[0-9]*\\]: Server check/srv1 is DOWN.*"
++    barrier b0 sync
++
      recv
--    expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/-1/-1/[0-9]* 503 .* - - SC-- .* .* \"GET /c1 HTTP/1\\.1\""
++    expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1_1/srv1 [0-9]*/[0-9]*/-1/-1/[0-9]* 503 .* - - SC-- .* .* \"GET /c1 HTTP/1\\.1\""
      barrier b2 sync
      recv
--    expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/-1/-1/[0-9]* 503 .* - - CC-- .* .* \"GET /c2 HTTP/1\\.1\""
--
++    expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1_2/srv1 [0-9]*/[0-9]*/-1/-1/[0-9]* 503 .* - - CC-- .* .* \"GET /c2 HTTP/1\\.1\""
++    barrier b2 sync
      recv
      expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe2 be2/<NOSRV> [0-9]*/[0-9]*/-1/-1/[0-9]* 503 .* - - CQ-- .* .* \"GET /c4 HTTP/1\\.1\""
      barrier b2 sync
@@ -60,7 +66,8 @@ haproxy h1 -conf {
          option httplog
          log ${S_addr}:${S_port} local0 debug err
          bind "fd@${fe1}"
--        use_backend be1
++        use_backend be1_1 if { path /c1 }
++        use_backend be1_2 if { path /c2 }
      frontend fe2
          option httplog
@@ -68,13 +75,25 @@ haproxy h1 -conf {
          bind "fd@${fe2}"
          use_backend be2
--    backend be1
++    backend be1_1
++        server srv1 ${s1_addr}:${s1_port}
++
++    backend be1_2
++        timeout connect 1s
++        retries 10
          server srv1 ${s1_addr}:${s1_port}
      backend be2
          server srv1 ${s2_addr}:${s2_port} maxconn 1
++
++    backend check
++        server srv1 ${s1_addr}:${s1_port} check
++        log ${S_addr}:${S_port} local0 debug alert
  } -start
++# Wait s1 was detected as DOWN
++barrier b0 sync
++
  # No server, wait all connection retries : SC--
  client  c1 -connect ${h1_fe1_sock} {
      txreq -url /c1
@@ -90,6 +109,9 @@ client  c2 -connect ${h1_fe1_sock} {
      txreq -url /c2
  } -run
++# Wait c2 log entry
++barrier b2 sync
++
  # server with maxconn=1, abort waiting the server reply : CH--
  client  c3 -connect ${h1_fe2_sock} {
      txreq -url /c3
 diff --git a/reg-tests/http-messaging/http_request_buffer.vtc b/reg-tests/http-messaging/http_request_buffer.vtc
 index 4fd7bb2..3c47599 100644
 --- a/reg-tests/http-messaging/http_request_buffer.vtc
 +++ b/reg-tests/http-messaging/http_request_buffer.vtc
@@ -9,6 +9,8 @@ feature ignore_unknown_macro
  # thanks to "http-buffer-request". If this was the case, c2 client
  # could not connect to s1 server and this would lead to make this test fail.
++barrier b1 cond 2 -cyclic
++
  server s1 {
  	rxreq
  	expect req.bodylen == 257
@@ -24,12 +26,18 @@ server s1 {
  syslog S -level info {
  	recv
  	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 fe1/<NOSRV> .* 408 .* - - cD-- .* .* \"GET /this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url-this-is-a-long-url HTTP/1\\.1\""
++	barrier b1 sync
++
  	recv
  	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/[0-9]*/[0-9]*/[0-9]* 200 .* - - ---- .* .* \"GET / HTTP/1\\.1\""
++	barrier b1 sync
++
  	recv
--	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/srv1 [0-9]*/[0-9]*/[0-9]*/[0-9]*/[0-9]* 200 .* - - ---- .* .* \"POST /1 HTTP/1\\.1\""
++	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe2 be1/srv1 [0-9]*/[0-9]*/[0-9]*/[0-9]*/[0-9]* 200 .* - - ---- .* .* \"POST /1 HTTP/1\\.1\""
++	barrier b1 sync
++
  	recv
--	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe1 be1/<NOSRV> [0-9]*/-1/-1/-1/[0-9]* -1 .* - - CR-- .* .* \"POST /2 HTTP/1\\.1\""
++	expect ~ "[^:\\[ ]*\\[[0-9]*\\]: .* .* fe2 be1/<NOSRV> [0-9]*/-1/-1/-1/[0-9]* -1 .* - - CR-- .* .* \"POST /2 HTTP/1\\.1\""
  } -start
  haproxy h1 -conf {
@@ -49,6 +57,14 @@ haproxy h1 -conf {
  		log ${S_addr}:${S_port} local0 debug err
  		bind "fd@${fe1}"
  		use_backend be1
++
++	frontend fe2
++	        timeout client 10s
++		option httplog
++		option http-buffer-request
++		log ${S_addr}:${S_port} local0 debug err
++		bind "fd@${fe2}"
++		use_backend be1
  } -start
  # 1 byte of the payload is missing.
@@ -80,6 +96,9 @@ client c1 -connect ${h1_fe1_sock} {
  	expect resp.status == 408
  } -run
++# Wait matching on log message
++barrier b1 sync
++
  # Payload is fully sent
  #   ==> Request must be sent to the server. A 200 must be received
  client c2 -connect ${h1_fe1_sock} {
@@ -88,10 +107,13 @@ client c2 -connect ${h1_fe1_sock} {
  	expect resp.status == 200
  } -run
++# Wait matching on log message
++barrier b1 sync
++
  # Payload is fully sent in 2 steps (with a small delay, smaller than the client
  # timeout) and splitted on a chunk size.
  #   ==> Request must be sent to the server. A 200 must be received
--client c3 -connect ${h1_fe1_sock} {
++client c3 -connect ${h1_fe2_sock} {
  	send "POST /1  HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n1\r\n1"
  	delay 0.01
  	send "\r\n1\r\n0\r\n\r\n"
@@ -99,11 +121,14 @@ client c3 -connect ${h1_fe1_sock} {
  	expect resp.status == 200
  } -run
++# Wait matching on log message
++barrier b1 sync
++
  # Last CRLF of the request payload is missing but payload is sent in 2 steps
  # (with a small delay, smaller than the client timeout) and splitted on a chunk
  # size. The client aborts before sending the last CRLF.
  #   ==> Request must be handled as an error with 'CR--' termination state.
--client c4 -connect ${h1_fe1_sock} {
++client c4 -connect ${h1_fe2_sock} {
  	send "POST /2  HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n1\r\n1\r\n1"
  	delay 0.01
  	send "\r\n1\r\n0\r\n"
 diff --git a/scripts/announce-release b/scripts/announce-release
 index a229301..4c75a3b 100755
 --- a/scripts/announce-release
 +++ b/scripts/announce-release
@@ -210,20 +210,21 @@ else
  fi
  (echo "Please find the usual URLs below :"
-- echo "   Site index       : http://www.haproxy.org/"
-- echo "   Documentation    : http://docs.haproxy.org/"
++ echo "   Site index       : https://www.haproxy.org/"
++ echo "   Documentation    : https://docs.haproxy.org/"
   echo "   Wiki             : https://github.com/haproxy/wiki/wiki"
-- echo "   Discourse        : http://discourse.haproxy.org/"
++ echo "   Discourse        : https://discourse.haproxy.org/"
   echo "   Slack channel    : https://slack.haproxy.org/"
   echo "   Issue tracker    : https://github.com/haproxy/haproxy/issues"
-- echo "   Sources          : http://www.haproxy.org/download/${BRANCH}/src/"
-- echo "   Git repository   : http://git.haproxy.org/git/${gitdir}/"
-- echo "   Git Web browsing : http://git.haproxy.org/?p=${gitdir}"
-- echo "   Changelog        : http://www.haproxy.org/download/${BRANCH}/src/CHANGELOG"
-- echo "   Pending bugs     : http://www.haproxy.org/l/pending-bugs"
-- echo "   Reviewed bugs    : http://www.haproxy.org/l/reviewed-bugs"
-- echo "   Code reports     : http://www.haproxy.org/l/code-reports"
-- echo "   Latest builds    : http://www.haproxy.org/l/dev-packages"
++ echo "   Sources          : https://www.haproxy.org/download/${BRANCH}/src/"
++ echo "   Git repository   : https://git.haproxy.org/git/${gitdir}/"
++ echo "   Git Web browsing : https://git.haproxy.org/?p=${gitdir}"
++ echo "   Changelog        : https://www.haproxy.org/download/${BRANCH}/src/CHANGELOG"
++ echo "   Dataplane API    : https://github.com/haproxytech/dataplaneapi/releases/latest"
++ echo "   Pending bugs     : https://www.haproxy.org/l/pending-bugs"
++ echo "   Reviewed bugs    : https://www.haproxy.org/l/reviewed-bugs"
++ echo "   Code reports     : https://www.haproxy.org/l/code-reports"
++ echo "   Latest builds    : https://www.haproxy.org/l/dev-packages"
  ) >> "$OUTPUT"
  # sign
 diff --git a/scripts/make-releases-json b/scripts/make-releases-json
 new file mode 100755
 index 0000000..38bb2b6
 --- /dev/null
 +++ b/scripts/make-releases-json
@@ -0,0 +1,103 @@
++#!/usr/bin/env bash
++#
++# Scan a branch directory for source tarballs and rebuild the releases.json
++# file for that branch. md5 and sha256 are added if present. The highest
++# numberred version is referenced as the latest release.
++#
++# Usage: $0 [-b branch] [-o outfile] /path/to/download/branch
++#
++
++USAGE="Usage: ${0##*/} [-b branch] [-o outfile] DIR"
++OUTPUT=
++BRANCH=
++DIR=
++
++die() {
++	[ "$#" -eq 0 ] || echo "$*" >&2
++	exit 1
++}
++
++err() {
++	echo "$*" >&2
++}
++
++quit() {
++	[ "$#" -eq 0 -o -n "$QUIET" ] || echo "$*"
++	exit 0
++}
++
++emit_json() {
++	printf '{\n  "branch": "%s",\n' ${BRANCH}
++	latest=""
++	for file in $(find "$DIR/src" -name 'haproxy-[0-9]*.gz' -printf "%P\n" |grep -v '[0-9]-patches*' | sort -rV ); do
++		rel="${file##*haproxy-}"
++		rel="${rel%%.tar.*}"
++		if [ -z "$latest" ]; then
++			latest="$rel";
++			printf '  "latest_release": "%s",\n' ${latest}
++			printf '  "releases": {\n'
++		else
++			printf ",\n"
++		fi
++		printf '    "%s": {\n' ${rel}
++		printf '      "file": "%s"' ${file}
++		if [ -s "$DIR/src/$file.md5" ]; then
++			printf ',\n      "md5": "%s"' $(awk '{print $1}' "$DIR/src/$file.md5")
++		fi
++		if [ -s "$DIR/src/$file.sha256" ]; then
++			printf ',\n      "sha256": "%s"' $(awk '{print $1}' "$DIR/src/$file.sha256")
++		fi
++		printf '\n    }'
++	done
++
++	if [ -n "$latest" ]; then
++		printf "\n  }"  ## "releases"
++	fi
++
++	printf '\n}\n'
++}
++
++
++### main
++
++while [ -n "$1" -a -z "${1##-*}" ]; do
++	case "$1" in
++		-b)        BRANCH="$2"    ; shift 2 ;;
++		-o)        OUTPUT="$2"    ; shift 2 ;;
++		-h|--help) quit "$USAGE" ;;
++		*)         die  "$USAGE" ;;
++	esac
++done
++
++if [ $# -ne 1 ]; then
++	die "$USAGE"
++fi
++
++DIR="$1" ; shift
++if [ -z "$DIR" ]; then
++	die "Missing download directory name."
++fi
++
++if [ ! -d "$DIR/." ]; then
++	die "Download directory doesn't exist : $DIR"
++fi
++
++if [ ! -d "$DIR/src" ]; then
++	die "Download directory must contain 'src' : $DIR"
++fi
++
++if [ -z "$BRANCH" ]; then
++	BRANCH=${DIR##*/}
++	if [ -n "${BRANCH//[0-9.]}" ]; then
++		die "Couldn't determine branch number from dir name: $BRANCH"
++	fi
++fi
++
++# echo "debug: DIR=$DIR BRANCH=$BRANCH"
++if [ -n "$OUTPUT" ]; then
++	emit_json > "$OUTPUT.tmp"
++	mv -f "$OUTPUT.tmp" "$OUTPUT"
++	rm -f "$OUTPUT.tmp"
++else
++	emit_json
++fi
 diff --git a/scripts/publish-release b/scripts/publish-release
 index abde56f..d785244 100755
 --- a/scripts/publish-release
 +++ b/scripts/publish-release
@@ -17,6 +17,7 @@ BRANCH=
  DEVEL=
  QUIET=
  AUTO=
++ARG0="$0"
  NEW=
  DIR=
  DOC=( )
@@ -178,6 +179,11 @@ for i in "${DOC[@]}"; do
  	$CMD_GZIP < "$TARGET_DIR/doc/${i#doc/}" > "$TARGET_DIR/doc/${i#doc/}.gz"
  done
++if [ -x "${ARG0%/*}/make-releases-json" ]; then
++        # regenerate versions
++        "${ARG0%/*}/make-releases-json" -o "$TARGET_DIR/src/releases.json" "$TARGET_DIR"
++fi
++
  echo "Done : ls -l ${TARGET_DIR}"
  ( cd "$TARGET_DIR" ;
    ls -l src/CHANGELOG "src${DEVEL}/haproxy-${NEW}".tar.gz{,.md5,.sha256} $(for i in "${DOC[@]}"; do echo "doc/${i#doc/}"{,.gz}; done)
 diff --git a/src/backend.c b/src/backend.c
 index 056e53a..3fe9fdc 100644
 --- a/src/backend.c
 +++ b/src/backend.c
@@ -728,11 +728,6 @@ int assign_server(struct stream *s)
  							    (void *)&((struct sockaddr_in6 *)&conn->addr.from)->sin6_addr,
 , prev_srv);
+ 				}
--				else {
--					/* unknown IP family */
--					err = SRV_STATUS_INTERNAL;
--					goto out;
--				}
  				break;
  			case BE_LB_HASH_URI:
 diff --git a/src/cache.c b/src/cache.c
 index 07c406c..d94a76e 100644
 --- a/src/cache.c
 +++ b/src/cache.c
@@ -81,7 +81,7 @@ struct cache_st {
  struct cache_entry {
  	unsigned int latest_validation;     /* latest validation date */
--	unsigned int expire;      /* expiration date */
++	unsigned int expire;      /* expiration date (wall clock time) */
  	unsigned int age;         /* Origin server "Age" header value */
  	unsigned int eoh;         /* Origin server end of headers offset. */ // field used in legacy mode only
@@ -114,7 +114,7 @@ struct cache_entry *entry_exist(struct cache *cache, char *hash)
  	if (memcmp(entry->hash, hash, sizeof(entry->hash)))
  		return NULL;
--	if (entry->expire > now.tv_sec) {
++	if (entry->expire > date.tv_sec) {
  		return entry;
  	} else {
  		eb32_delete(node);
@@ -864,8 +864,8 @@ enum act_return http_action_store_cache(struct act_rule *rule, struct proxy *px,
  		shctx_unlock(shctx);
  		/* store latest value and expiration time */
--		object->latest_validation = now.tv_sec;
--		object->expire = now.tv_sec + http_calc_maxage(s, cconf->c.cache);
++		object->latest_validation = date.tv_sec;
++		object->expire = date.tv_sec + http_calc_maxage(s, cconf->c.cache);
  		return ACT_RET_CONT;
+ 	}
@@ -1059,7 +1059,7 @@ static int htx_cache_add_age_hdr(struct appctx *appctx, struct htx *htx)
  	char *end;
  	chunk_reset(&trash);
--	age = MAX(0, (int)(now.tv_sec - cache_ptr->latest_validation)) + cache_ptr->age;
++	age = MAX(0, (int)(date.tv_sec - cache_ptr->latest_validation)) + cache_ptr->age;
  	if (unlikely(age > CACHE_ENTRY_MAX_AGE))
  		age = CACHE_ENTRY_MAX_AGE;
  	end = ultoa_o(age, b_head(&trash), b_size(&trash));
@@ -1877,11 +1877,11 @@ static int cli_io_handler_show_cache(struct appctx *appctx)
  			entry = container_of(node, struct cache_entry, eb);
  			next_key = node->key + 1;
--			if (entry->expire > now.tv_sec) {
++			if (entry->expire > date.tv_sec) {
  				chunk_printf(&trash, "%p hash:%u size:%u (%u blocks), refcount:%u, expire:%d\n",
  					     entry, (*(unsigned int *)entry->hash),
  					     block_ptr(entry)->len, block_ptr(entry)->block_count,
--					     block_ptr(entry)->refcount, entry->expire - (int)now.tv_sec);
++					     block_ptr(entry)->refcount, entry->expire - (int)date.tv_sec);
  			} else {
  				/* time to remove that one */
  				eb32_delete(&entry->eb);
 diff --git a/src/cfgparse-listen.c b/src/cfgparse-listen.c
 index 8bb85c6..7520620 100644
 --- a/src/cfgparse-listen.c
 +++ b/src/cfgparse-listen.c
@@ -381,7 +381,8 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
+ 		}
  		/* set default values */
--		memcpy(&curproxy->defsrv, &defproxy.defsrv, sizeof(curproxy->defsrv));
++		srv_settings_cpy(&curproxy->defsrv, &defproxy.defsrv, 0);
++
  		curproxy->defsrv.id = "default-server";
  		curproxy->state = defproxy.state;
 diff --git a/src/cfgparse.c b/src/cfgparse.c
 index 36cb18d..e4a93dd 100644
 --- a/src/cfgparse.c
 +++ b/src/cfgparse.c
@@ -540,9 +540,10 @@ static struct bind_conf *bind_conf_uniq_alloc(struct proxy *p,
  	if (!LIST_ISEMPTY(&p->conf.bind)) {
  		bind_conf = LIST_ELEM((&p->conf.bind)->n, typeof(bind_conf), by_fe);
--		free(bind_conf->file);
--		bind_conf->file = strdup(file);
--		bind_conf->line = line;
++		/*
++		 * We keep bind_conf->file and bind_conf->line unchanged
++		 * to make them available for error messages
++		 */
  		if (arg) {
  			free(bind_conf->arg);
  			bind_conf->arg = strdup(arg);
@@ -627,7 +628,12 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
+ 		}
  		bind_conf = bind_conf_uniq_alloc(curpeers->peers_fe, file, linenum,
--		                                 NULL, xprt_get(XPRT_RAW));
++		                                 args[1], xprt_get(XPRT_RAW));
++		if (!bind_conf) {
++			ha_alert("parsing [%s:%d] : '%s %s' : cannot allocate memory.\n", file, linenum, args[0], args[1]);
++			err_code |= ERR_FATAL;
++			goto out;
++		}
  		if (*args[0] == 'b') {
  			struct listener *l;
@@ -637,6 +643,11 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
  				goto out;
+ 			}
++			if (!LIST_ISEMPTY(&bind_conf->listeners)) {
++				ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
++				err_code |= ERR_FATAL;
++			}
++
  			if (!str2listener(args[1], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
  				if (errmsg && *errmsg) {
  					indent_msg(&errmsg, 2);
@@ -644,11 +655,14 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
+ 				}
  				else
  					ha_alert("parsing [%s:%d] : '%s %s' : error encountered while parsing listening address %s.\n",
--							 file, linenum, args[0], args[1], args[2]);
++							 file, linenum, args[0], args[1], args[1]);
  				err_code |= ERR_FATAL;
  				goto out;
+ 			}
--			l = LIST_ELEM(bind_conf->listeners.n, typeof(l), by_bind);
++			/*
++			 * Newly allocated listener is at the end of the list
++			 */
++			l = LIST_ELEM(bind_conf->listeners.p, typeof(l), by_bind);
  			l->maxaccept = 1;
  			l->accept = session_accept_fd;
  			l->analysers |=  curpeers->peers_fe->fe_req_ana;
@@ -848,6 +862,16 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
  			goto out;
  		bind_conf = bind_conf_uniq_alloc(curpeers->peers_fe, file, linenum, args[2], xprt_get(XPRT_RAW));
++		if (!bind_conf) {
++			ha_alert("parsing [%s:%d] : '%s %s' : Cannot allocate memory.\n", file, linenum, args[0], args[1]);
++			err_code |= ERR_FATAL;
++			goto out;
++		}
++
++		if (!LIST_ISEMPTY(&bind_conf->listeners)) {
++			ha_alert("parsing [%s:%d] : One listener per \"peers\" section is authorized but another is already configured at [%s:%d].\n", file, linenum, bind_conf->file, bind_conf->line);
++			err_code |= ERR_FATAL;
++		}
  		if (!str2listener(args[2], curpeers->peers_fe, bind_conf, file, linenum, &errmsg)) {
  			if (errmsg && *errmsg) {
@@ -861,7 +885,10 @@ int cfg_parse_peers(const char *file, int linenum, char **args, int kwm)
  			goto out;
+ 		}
--		l = LIST_ELEM(bind_conf->listeners.n, typeof(l), by_bind);
++		/*
++		 * Newly allocated listener is at the end of the list
++		 */
++		l = LIST_ELEM(bind_conf->listeners.p, typeof(l), by_bind);
  		l->maxaccept = 1;
  		l->accept = session_accept_fd;
  		l->analysers |=  curpeers->peers_fe->fe_req_ana;
@@ -2078,6 +2105,7 @@ next_line:
  				/* if not enough space in thisline */
  				if (newlinesize  > linesize) {
++					uintptr_t thisline_addr = (uintptr_t)thisline; /* Save thisline address to make GCC happy ! */
  					char *newline;
  					newline = realloc(thisline, newlinesize * sizeof(*thisline));
@@ -2087,20 +2115,20 @@ next_line:
  						goto next_line; /* slip current line */
+ 					}
  					/* recompute pointers if realloc returns a new pointer */
--					if (newline != thisline) {
++					if (newline != (char *)thisline_addr) {
  						int i;
  						int diff;
  						for (i = 0; i <= arg; i++) {
--							diff = args[i] - thisline;
++							diff = args[i] - (char *)thisline_addr;
  							args[i] = newline + diff;
+ 						}
--						diff = var_end - thisline;
++						diff = var_end - (char *)thisline_addr;
  						var_end = newline + diff;
--						diff = end - thisline;
++						diff = end - (char *)thisline_addr;
  						end = newline + diff;
--						diff = line - thisline;
++						diff = line - (char *)thisline_addr;
  						line = newline + diff;
  						thisline = newline;
+ 					}
 diff --git a/src/dns.c b/src/dns.c
 index 694f840..de9892b 100644
 --- a/src/dns.c
 +++ b/src/dns.c
@@ -175,11 +175,11 @@ static void dns_update_resolvers_timeout(struct dns_resolvers *resolvers)
  	next = tick_add(now_ms, resolvers->timeout.resolve);
  	if (!LIST_ISEMPTY(&resolvers->resolutions.curr)) {
  		res  = LIST_NEXT(&resolvers->resolutions.curr, struct dns_resolution *, list);
--		next = MIN(next, tick_add(res->last_query, resolvers->timeout.retry));
++		next = tick_first(next, tick_add(res->last_query, resolvers->timeout.retry));
+ 	}
  	list_for_each_entry(res, &resolvers->resolutions.wait, list)
--		next = MIN(next, tick_add(res->last_resolution, dns_resolution_timeout(res)));
++		next = tick_first(next, tick_add(res->last_resolution, dns_resolution_timeout(res)));
  	resolvers->t->expire = next;
  	task_queue(resolvers->t);
@@ -1990,7 +1990,7 @@ static void dns_deinit(void)
  /* Finalizes the DNS configuration by allocating required resources and checking
   * live parameters.
-- * Returns 0 on success, ERR_* flags otherwise.
++ * Returns 0 on success, 1 on error.
   */
  static int dns_finalize_config(void)
+ {
@@ -2058,6 +2058,13 @@ static int dns_finalize_config(void)
  	for (px = proxies_list; px; px = px->next) {
  		struct server *srv;
++		if (px->state == PR_STSTOPPED) {
++			/* must not run and will not work anyway since
++			 * nothing in the proxy is initialized.
++			 */
++			continue;
++		}
++
  		for (srv = px->srv; srv; srv = srv->next) {
  			struct dns_resolvers *resolvers;
@@ -2093,10 +2100,10 @@ static int dns_finalize_config(void)
  	if (err_code & (ERR_ALERT|ERR_ABORT))
  		goto err;
--	return err_code;
++	return 0;
    err:
  	dns_deinit();
--	return err_code;
++	return 1;
+ }
@@ -2262,7 +2269,12 @@ enum act_return dns_action_do_resolve(struct act_rule *rule, struct proxy *px,
  		if (resolution->step == RSLV_STEP_RUNNING)
  			goto yield;
  		if (resolution->step == RSLV_STEP_NONE) {
--			/* We update the variable only if we have a valid response. */
++			/* We update the variable only if we have a valid
++			 * response. If the response was not received yet, we
++			 * must yield.
++			 */
++			if (resolution->status == RSLV_STATUS_NONE)
++				goto yield;
  			if (resolution->status == RSLV_STATUS_VALID) {
  				struct sample smp;
  				short ip_sin_family = 0;
 diff --git a/src/ev_epoll.c b/src/ev_epoll.c
 index 6c09c04..d836306 100644
 --- a/src/ev_epoll.c
 +++ b/src/ev_epoll.c
@@ -146,7 +146,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
  	thread_harmless_now();
--	/* now let's wait for polled events */
++	/* Now let's wait for polled events. */
  	wait_time = wake ? 0 : compute_poll_timeout(exp);
  	tv_entering_poll();
  	activity_count_runtime();
@@ -160,7 +160,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
  			break;
  		if (timeout || !wait_time)
  			break;
--		if (signal_queue_len || wake)
++		if (wake)
  			break;
  		if (tick_isset(exp) && tick_is_expired(exp, now_ms))
  			break;
 diff --git a/src/ev_evports.c b/src/ev_evports.c
 index eae72d0..2442579 100644
 --- a/src/ev_evports.c
 +++ b/src/ev_evports.c
@@ -141,9 +141,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
  	thread_harmless_now();
--	/*
--	 * Determine how long to wait for events to materialise on the port.
--	 */
++	/* Now let's wait for polled events. */
  	wait_time = wake ? 0 : compute_poll_timeout(exp);
  	tv_entering_poll();
  	activity_count_runtime();
@@ -183,7 +181,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
  			break;
  		if (timeout || !wait_time)
  			break;
--		if (signal_queue_len || wake)
++		if (wake)
  			break;
  		if (tick_isset(exp) && tick_is_expired(exp, now_ms))
  			break;
 diff --git a/src/ev_kqueue.c b/src/ev_kqueue.c
 index 56e7147..47f4647 100644
 --- a/src/ev_kqueue.c
 +++ b/src/ev_kqueue.c
@@ -131,7 +131,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
+ 	}
  	fd_nbupdt = 0;
--	/* now let's wait for events */
++	/* Now let's wait for polled events. */
  	wait_time = wake ? 0 : compute_poll_timeout(exp);
  	fd = global.tune.maxpollevents;
  	tv_entering_poll();
@@ -155,7 +155,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
  			break;
  		if (timeout || !wait_time)
  			break;
--		if (signal_queue_len || wake)
++		if (wake)
  			break;
  		if (tick_isset(exp) && tick_is_expired(exp, now_ms))
  			break;
 diff --git a/src/ev_poll.c b/src/ev_poll.c
 index 86bf8e8..39e5fd9 100644
 --- a/src/ev_poll.c
 +++ b/src/ev_poll.c
@@ -24,6 +24,7 @@
  #include <common/time.h>
  #include <types/global.h>
++#include <types/signal.h>
  #include <proto/activity.h>
  #include <proto/fd.h>
@@ -193,7 +194,7 @@ REGPRM3 static void _do_poll(struct poller *p, int exp, int wake)
+ 		}
+ 	}
--	/* now let's wait for events */
++	/* Now let's wait for polled events. */
  	wait_time = wake ? 0 : compute_poll_timeout(exp);
  	tv_entering_poll();
  	activity_count_runtime();
 diff --git a/src/flt_spoe.c b/src/flt_spoe.c
 index 16b5d6f..128461b 100644
 --- a/src/flt_spoe.c
 +++ b/src/flt_spoe.c
@@ -1290,7 +1290,7 @@ spoe_release_appctx(struct appctx *appctx)
  	/* Destroy the task attached to this applet */
  	task_destroy(spoe_appctx->task);
--	/* Notify all waiting streams */
++	/* Report an error to all streams in the appctx waiting queue */
  	list_for_each_entry_safe(ctx, back, &spoe_appctx->waiting_queue, list) {
  		LIST_DEL(&ctx->list);
  		LIST_INIT(&ctx->list);
@@ -1302,8 +1302,8 @@ spoe_release_appctx(struct appctx *appctx)
  		task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
+ 	}
--	/* If the applet was processing a fragmented frame, notify the
--	 * corresponding stream. */
++	/* If the applet was processing a fragmented frame, report an error to
++	 * the corresponding stream. */
  	if (spoe_appctx->frag_ctx.ctx) {
  		ctx = spoe_appctx->frag_ctx.ctx;
  		ctx->spoe_appctx = NULL;
@@ -1312,7 +1312,11 @@ spoe_release_appctx(struct appctx *appctx)
  		task_wakeup(ctx->strm->task, TASK_WOKEN_MSG);
+ 	}
--	if (!LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) {
++	if (!LIST_ISEMPTY(&agent->rt[tid].applets)) {
++		/* If there are still some running applets, remove reference on
++		 * the current one from streams in the async waiting queue. In
++		 * async mode, the ACK may be received from another appctx.
++		 */
  		list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) {
  			if (ctx->spoe_appctx == spoe_appctx)
  				ctx->spoe_appctx = NULL;
@@ -1320,16 +1324,25 @@ spoe_release_appctx(struct appctx *appctx)
  		goto end;
+ 	}
  	else {
--		/* It is the last running applet and the sending and waiting
--		 * queues are not empty. Try to start a new one if HAproxy is
--		 * not stopping.
++		/* It is the last running applet and the sending and async
++		 * waiting queues are not empty. So try to start a new applet if
++		 * HAproxy is not stopping. On success, we remove reference on
++		 * the current appctx from streams in the async waiting queue.
++		 * In async mode, the ACK may be received from another appctx.
  		 */
  		if (!stopping &&
  		    (!LIST_ISEMPTY(&agent->rt[tid].sending_queue) || !LIST_ISEMPTY(&agent->rt[tid].waiting_queue)) &&
--		    spoe_create_appctx(agent->spoe_conf))
++		    spoe_create_appctx(agent->spoe_conf)) {
++			list_for_each_entry_safe(ctx, back, &agent->rt[tid].waiting_queue, list) {
++				if (ctx->spoe_appctx == spoe_appctx)
++					ctx->spoe_appctx = NULL;
++			}
  			goto end;
++		}
--		/* otherwise, notify all waiting streams */
++		/* Otherwise, report an error to all streams in the sending and
++		 * async waiting queues.
++		 */
  		list_for_each_entry_safe(ctx, back, &agent->rt[tid].sending_queue, list) {
  			LIST_DEL(&ctx->list);
  			LIST_INIT(&ctx->list);
 diff --git a/src/h1.c b/src/h1.c
 index 3839fbe..69a7ced 100644
 --- a/src/h1.c
 +++ b/src/h1.c
@@ -672,6 +672,10 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
  		if (likely(*ptr == ':')) {
  			col = ptr - start;
++			if (col <= sol) {
++				state = H1_MSG_HDR_NAME;
++				goto http_msg_invalid;
++			}
  			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_l1_sp, http_msg_ood, state, H1_MSG_HDR_L1_SP);
+ 		}
 diff --git a/src/haproxy.c b/src/haproxy.c
 index aa37504..f6166d4 100644
 --- a/src/haproxy.c
 +++ b/src/haproxy.c
@@ -1,6 +1,6 @@
  /*
   * HA-Proxy : High Availability-enabled HTTP/TCP proxy
-- * Copyright 2000-2022 Willy Tarreau <willy@haproxy.org>.
++ * Copyright 2000-2023 Willy Tarreau <willy@haproxy.org>.
+  *
   * This program is free software; you can redistribute it and/or
   * modify it under the terms of the GNU General Public License
@@ -242,6 +242,7 @@ struct mworker_proc *proc_self = NULL;
  /* list of the temporarily limited listeners because of lack of resource */
  struct list global_listener_queue = LIST_HEAD_INIT(global_listener_queue);
  struct task *global_listener_queue_task;
++__decl_hathreads(HA_RWLOCK_T global_listener_rwlock);
  static struct task *manage_global_listener_queue(struct task *t, void *context, unsigned short state);
  static void *run_thread_poll_loop(void *data);
@@ -2071,6 +2072,7 @@ static void init(int argc, char **argv)
  	/* very simple initialization, users will queue the task if needed */
  	global_listener_queue_task->context = NULL; /* not even a context! */
  	global_listener_queue_task->process = manage_global_listener_queue;
++	HA_RWLOCK_INIT(&global_listener_rwlock);
  	/* now we know the buffer size, we can initialize the channels and buffers */
  	init_buffer();
@@ -2778,7 +2780,7 @@ static void run_poll_loop()
  		if (killed > 1)
  			break;
--		/* expire immediately if events are pending */
++		/* expire immediately if events or signals are pending */
  		wake = 1;
  		if (fd_cache_mask & tid_bit)
  			activity[tid].wake_cache++;
@@ -2792,6 +2794,10 @@ static void run_poll_loop()
  			if (global_tasks_mask & tid_bit) {
  				activity[tid].wake_tasks++;
  				_HA_ATOMIC_AND(&sleeping_thread_mask, ~tid_bit);
++			} else if (signal_queue_len) {
++				/* this check is required to avoid
++				 * a race with wakeup on signals using wake_threads() */
++				_HA_ATOMIC_AND(&sleeping_thread_mask, ~tid_bit);
  			} else
  				wake = 0;
+ 		}
@@ -2946,7 +2952,9 @@ static struct task *manage_global_listener_queue(struct task *t, void *context,
  	dequeue_all_listeners(&global_listener_queue);
   out:
++	HA_RWLOCK_WRLOCK(LISTENER_LOCK, &global_listener_rwlock);
  	t->expire = next;
++	HA_RWLOCK_WRUNLOCK(LISTENER_LOCK, &global_listener_rwlock);
  	task_queue(t);
  	return t;
+ }
 diff --git a/src/hlua.c b/src/hlua.c
 index 888890f..bd8a679 100644
 --- a/src/hlua.c
 +++ b/src/hlua.c
@@ -649,7 +649,9 @@ __LJMP int hlua_lua2arg_check(lua_State *L, int first, struct arg *argp,
  					break;
  				case ARGT_TAB:
--					argp[idx].data.prx = p;
++					if (!p->table)
++						WILL_LJMP(luaL_argerror(L, first + idx, "Mandatory argument expected"));
++					argp[idx].data.t = p->table;
  					argp[idx].type = ARGT_TAB;
  					argp[idx+1].type = ARGT_STOP;
  					break;
 diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c
 index 955a1ce..c42a60a 100644
 --- a/src/hlua_fcn.c
 +++ b/src/hlua_fcn.c
@@ -1298,6 +1298,7 @@ int hlua_proxy_pause(lua_State *L)
  	struct proxy *px;
  	px = hlua_check_proxy(L, 1);
++	/* safe to call without PROXY_LOCK - pause_proxy takes it */
  	pause_proxy(px);
  	return 0;
+ }
@@ -1307,6 +1308,7 @@ int hlua_proxy_resume(lua_State *L)
  	struct proxy *px;
  	px = hlua_check_proxy(L, 1);
++	/* safe to call without PROXY_LOCK - resume_proxy takes it */
  	resume_proxy(px);
  	return 0;
+ }
@@ -1316,6 +1318,7 @@ int hlua_proxy_stop(lua_State *L)
  	struct proxy *px;
  	px = hlua_check_proxy(L, 1);
++	/* safe to call without PROXY_LOCK - stop_proxy takes it */
  	stop_proxy(px);
  	return 0;
+ }
 diff --git a/src/hpack-dec.c b/src/hpack-dec.c
 index 7f3e762..0fc71eb 100644
 --- a/src/hpack-dec.c
 +++ b/src/hpack-dec.c
@@ -425,6 +425,15 @@ int hpack_decode_frame(struct hpack_dht *dht, const uint8_t *raw, uint32_t len,
  			/* <name> and <value> are correctly filled here */
+ 		}
++		/* We must not accept empty header names (forbidden by the spec and used
++		 * as a list termination).
++		 */
++		if (!name.len) {
++			hpack_debug_printf("##ERR@%d##\n", __LINE__);
++			ret = -HPACK_ERR_INVALID_ARGUMENT;
++			goto leave;
++		}
++
  		/* here's what we have here :
  		 *   - name.len > 0
  		 *   - value is filled with either const data or data allocated from tmp
 diff --git a/src/http_fetch.c b/src/http_fetch.c
 index d40bc1d..ea87a52 100644
 --- a/src/http_fetch.c
 +++ b/src/http_fetch.c
@@ -244,7 +244,7 @@ struct htx *smp_prefetch_htx(struct sample *smp, struct channel *chn, int vol)
  	if (IS_HTX_STRM(s)) {
  		htx = htxbuf(&chn->buf);
--		if (msg->msg_state == HTTP_MSG_ERROR || (htx->flags & HTX_FL_PARSING_ERROR))
++		if (htx->flags & HTX_FL_PARSING_ERROR)
  			return NULL;
  		if (msg->msg_state < HTTP_MSG_BODY) {
@@ -460,6 +460,7 @@ static int smp_fetch_meth(const struct arg *args, struct sample *smp, const char
  	struct channel *chn = SMP_REQ_CHN(smp);
  	int meth;
  	struct http_txn *txn;
++	struct htx *htx = NULL;
  	if (smp->px->options2 & PR_O2_USE_HTX) {
  		/* HTX version */
@@ -468,15 +469,17 @@ static int smp_fetch_meth(const struct arg *args, struct sample *smp, const char
  			return 0;
  		meth = txn->meth;
--		smp->data.type = SMP_T_METH;
--		smp->data.u.meth.meth = meth;
  		if (meth == HTTP_METH_OTHER) {
--			struct htx *htx;
--			struct htx_sl *sl;
--
  			htx = smp_prefetch_htx(smp, chn, 1);
  			if (!htx)
  				return 0;
++			meth = txn->meth;
++		}
++
++		smp->data.type = SMP_T_METH;
++		smp->data.u.meth.meth = meth;
++		if (meth == HTTP_METH_OTHER) {
++			struct htx_sl *sl;
  			if ((smp->opt & SMP_OPT_DIR) == SMP_OPT_DIR_RES) {
  				/* ensure the indexes are not affected */
 diff --git a/src/http_msg.c b/src/http_msg.c
 index 067a7f8..e07c81c 100644
 --- a/src/http_msg.c
 +++ b/src/http_msg.c
@@ -1006,8 +1006,14 @@ void http_msg_analyzer(struct http_msg *msg, struct hdr_idx *idx)
  		if (likely(HTTP_IS_TOKEN(*ptr)))
  			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_name, http_msg_ood, state, HTTP_MSG_HDR_NAME);
--		if (likely(*ptr == ':'))
++		if (likely(*ptr == ':')) {
++			if (ptr == input + msg->sol) {
++				/* empty header names are not permitted */
++				state = HTTP_MSG_HDR_NAME;
++				goto http_msg_invalid;
++			}
  			EAT_AND_JUMP_OR_RETURN(ptr, end, http_msg_hdr_l1_sp, http_msg_ood, state, HTTP_MSG_HDR_L1_SP);
++		}
  		if (likely(msg->err_pos < -1) || *ptr == '\n') {
  			state = HTTP_MSG_HDR_NAME;
 diff --git a/src/listener.c b/src/listener.c
 index 2141017..0ba2ee1 100644
 --- a/src/listener.c
 +++ b/src/listener.c
@@ -766,7 +766,9 @@ void listener_accept(int fd)
  					 */
  					next_actconn = 0;
  					limit_listener(l, &global_listener_queue);
++					HA_RWLOCK_RDLOCK(LISTENER_LOCK, &global_listener_rwlock);
  					task_schedule(global_listener_queue_task, tick_add(now_ms, 1000)); /* try again in 1 second */
++					HA_RWLOCK_RDUNLOCK(LISTENER_LOCK, &global_listener_rwlock);
  					goto end;
+ 				}
  				next_actconn = count + 1;
@@ -870,7 +872,9 @@ void listener_accept(int fd)
  				 p->id);
  			close(cfd);
  			limit_listener(l, &global_listener_queue);
++			HA_RWLOCK_RDLOCK(LISTENER_LOCK, &global_listener_rwlock);
  			task_schedule(global_listener_queue_task, tick_add(now_ms, 1000)); /* try again in 1 second */
++			HA_RWLOCK_RDUNLOCK(LISTENER_LOCK, &global_listener_rwlock);
  			goto end;
+ 		}
@@ -1038,7 +1042,9 @@ void listener_accept(int fd)
   wait_expire:
  	/* switch the listener to LI_LIMITED and wait until up to <expire> in the global queue */
  	limit_listener(l, &global_listener_queue);
++	HA_RWLOCK_RDLOCK(LISTENER_LOCK, &global_listener_rwlock);
  	task_schedule(global_listener_queue_task, tick_first(expire, global_listener_queue_task->expire));
++	HA_RWLOCK_RDUNLOCK(LISTENER_LOCK, &global_listener_rwlock);
   end:
  	if (next_conn)
  		_HA_ATOMIC_SUB(&l->nbconn, 1);
 diff --git a/src/log.c b/src/log.c
 index e1c47ff..a63ba61 100644
 --- a/src/log.c
 +++ b/src/log.c
@@ -1262,17 +1262,21 @@ char *lf_text_len(char *dst, const char *src, size_t len, size_t size, const str
+ 	}
  	if (src && len) {
--		if (++len > size)
--			len = size;
++		/* escape_string and strlcpy2 will both try to add terminating NULL-byte
++		 * to dst, so we need to make sure that extra byte will fit into dst
++		 * before calling them
++		 */
  		if (node->options & LOG_OPT_ESC) {
  			char *ret;
--			ret = escape_string(dst, dst + len, '\\', rfc5424_escape_map, src);
++			ret = escape_string(dst, (dst + size - 1), '\\', rfc5424_escape_map, src, src + len);
  			if (ret == NULL || *ret != '\0')
  				return NULL;
  			len = ret - dst;
+ 		}
  		else {
++			if (++len > size)
++				len = size;
  			len = strlcpy2(dst, src, len);
+ 		}
@@ -1283,6 +1287,7 @@ char *lf_text_len(char *dst, const char *src, size_t len, size_t size, const str
  		if (size < 2)
  			return NULL;
  		*(dst++) = '-';
++		size -= 1;
+ 	}
  	if (node->options & LOG_OPT_QUOTE) {
 diff --git a/src/memory.c b/src/memory.c
 index 242264c..bf19df3 100644
 --- a/src/memory.c
 +++ b/src/memory.c
@@ -531,24 +531,24 @@ int pool_total_failures()
+ }
  /* This function returns the total amount of memory allocated in pools (in bytes) */
--unsigned long pool_total_allocated()
++unsigned long long pool_total_allocated()
+ {
  	struct pool_head *entry;
--	unsigned long allocated = 0;
++	unsigned long long allocated = 0;
  	list_for_each_entry(entry, &pools, list)
--		allocated += entry->allocated * entry->size;
++		allocated += entry->allocated * (unsigned long long)entry->size;
  	return allocated;
+ }
  /* This function returns the total amount of memory used in pools (in bytes) */
--unsigned long pool_total_used()
++unsigned long long pool_total_used()
+ {
  	struct pool_head *entry;
--	unsigned long used = 0;
++	unsigned long long used = 0;
  	list_for_each_entry(entry, &pools, list)
--		used += entry->used * entry->size;
++		used += entry->used * (unsigned long long)entry->size;
  	return used;
+ }
 diff --git a/src/mux_h1.c b/src/mux_h1.c
 index 560632a..4c91672 100644
 --- a/src/mux_h1.c
 +++ b/src/mux_h1.c
@@ -623,7 +623,7 @@ static int h1_process_req_vsn(struct h1s *h1s, struct h1m *h1m, union h1_sl sl)
  		if (sl.rq.v.len != 8)
  			return 0;
--		if (*(sl.rq.v.ptr + 4) != '/' ||
++		if (!istnmatch(sl.rq.v, ist("HTTP/"), 5) ||
  		    !isdigit((unsigned char)*(sl.rq.v.ptr + 5)) ||
  		    *(sl.rq.v.ptr + 6) != '.' ||
  		    !isdigit((unsigned char)*(sl.rq.v.ptr + 7)))
 diff --git a/src/mux_h2.c b/src/mux_h2.c
 index 09f8fa5..3141b36 100644
 --- a/src/mux_h2.c
 +++ b/src/mux_h2.c
@@ -60,6 +60,7 @@ static const struct h2s *h2_idle_stream;
                                              // (SHORT_READ is also excluded)
  #define H2_CF_DEM_SHORT_READ    0x00000200  // demux blocked on incomplete frame
++#define H2_CF_DEM_IN_PROGRESS   0x00000400  // demux in progress (dsi,dfl,dft are valid)
  /* other flags */
  #define H2_CF_GOAWAY_SENT       0x00001000  // a GOAWAY frame was successfully sent
@@ -310,7 +311,6 @@ static struct task *h2_deferred_shut(struct task *t, void *ctx, unsigned short s
  static struct h2s *h2c_bck_stream_new(struct h2c *h2c, struct conn_stream *cs, struct session *sess);
  static void h2s_alert(struct h2s *h2s);
--
  /* Detect a pending read0 for a H2 connection. It happens if a read0 was
   * already reported on a previous xprt->rcvbuf() AND a frame parser failed
   * to parse pending data, confirming no more progress is possible because
@@ -2546,6 +2546,7 @@ static void h2_process_demux(struct h2c *h2c)
  			h2c->dft = hdr.ft;
  			h2c->dff = hdr.ff;
  			h2c->dpl = padlen;
++			h2c->flags |= H2_CF_DEM_IN_PROGRESS;
  			h2c->st0 = H2_CS_FRAME_P;
  			/* check for minimum basic frame format validity */
@@ -2821,8 +2822,10 @@ static void h2_process_demux(struct h2c *h2c)
  			ret = MIN(b_data(&h2c->dbuf), h2c->dfl);
  			b_del(&h2c->dbuf, ret);
  			h2c->dfl -= ret;
--			if (!h2c->dfl)
++			if (!h2c->dfl) {
++				h2c->flags &= ~H2_CF_DEM_IN_PROGRESS;
  				h2c->st0 = H2_CS_FRAME_H;
++			}
+ 		}
+ 	}
@@ -3935,6 +3938,10 @@ next_frame:
  		*flags |= H2_SF_HEADERS_RCVD;
  	if ((h2c->dff & H2_F_HEADERS_END_STREAM)) {
++		if (msgf & H2_MSGF_RSP_1XX) {
++			/* RFC9113#8.1 : HEADERS frame with the ES flag set that carries an informational status code is malformed */
++			goto fail;
++		}
  		/* Mark the end of message, either using EOM in HTX or with the
  		 * trailing CRLF after the end of trailers. Note that DATA_CHNK
  		 * is not set during headers with END_STREAM. For HTX trailers,
 diff --git a/src/mworker.c b/src/mworker.c
 index 5ff1ef9..487d071 100644
 --- a/src/mworker.c
 +++ b/src/mworker.c
@@ -417,8 +417,10 @@ void mworker_cleanlisteners()
  		stop_proxy(curpeers->peers_fe);
  		/* disable this peer section so that it kills itself */
--		signal_unregister_handler(curpeers->sighandler);
--		task_destroy(curpeers->sync_task);
++		if (curpeers->sighandler)
++			signal_unregister_handler(curpeers->sighandler);
++		if (curpeers->sync_task)
++			task_destroy(curpeers->sync_task);
  		curpeers->sync_task = NULL;
  		task_destroy(curpeers->peers_fe->task);
  		curpeers->peers_fe->task = NULL;
 diff --git a/src/peers.c b/src/peers.c
 index ec8de36..a206d9f 100644
 --- a/src/peers.c
 +++ b/src/peers.c
@@ -105,6 +105,7 @@
  #define PEER_RESYNC_TIMEOUT         5000 /* 5 seconds */
  #define PEER_RECONNECT_TIMEOUT      5000 /* 5 seconds */
++#define PEER_LOCAL_RECONNECT_TIMEOUT 500 /* 500ms */
  #define PEER_HEARTBEAT_TIMEOUT      3000 /* 3 seconds */
  /*****************************/
@@ -1369,7 +1370,6 @@ static inline int peer_send_teach_stage2_msgs(struct appctx *appctx, struct peer
  static int peer_treat_updatemsg(struct appctx *appctx, struct peer *p, int updt, int exp,
                                  char **msg_cur, char *msg_end, int msg_len, int totl)
+ {
--	struct stream_interface *si = appctx->owner;
  	struct shared_table *st = p->remote_table;
  	struct stksess *ts, *newts;
  	uint32_t update;
@@ -1565,12 +1565,9 @@ static int peer_treat_updatemsg(struct appctx *appctx, struct peer *p, int updt,
  	HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
  	stktable_touch_remote(st->table, ts, 1);
--	return 1;
   ignore_msg:
--	/* skip consumed message */
--	co_skip(si_oc(si), totl);
--	return 0;
++	return 1;
   malformed_unlock:
  	/* malformed message */
@@ -1671,7 +1668,6 @@ static inline int peer_treat_switchmsg(struct appctx *appctx, struct peer *p,
  static inline int peer_treat_definemsg(struct appctx *appctx, struct peer *p,
                                        char **msg_cur, char *msg_end, int totl)
+ {
--	struct stream_interface *si = appctx->owner;
  	int table_id_len;
  	struct shared_table *st;
  	int table_type;
@@ -1728,11 +1724,9 @@ static inline int peer_treat_definemsg(struct appctx *appctx, struct peer *p,
  	p->remote_table->remote_data = table_data;
  	p->remote_table->remote_id = table_id;
--	return 1;
   ignore_msg:
--	co_skip(si_oc(si), totl);
--	return 0;
++	return 1;
   malformed_exit:
  	/* malformed message */
@@ -2413,7 +2407,7 @@ switchstate:
+ 					}
+ 				}
--				if (si_ic(si)->flags & CF_WRITE_PARTIAL)
++				if (si_ic(si)->flags & CF_WROTE_DATA)
  					curpeer->statuscode = PEER_SESS_SC_CONNECTEDCODE;
  				reql = peer_getline(appctx);
@@ -2593,7 +2587,9 @@ void peers_setup_frontend(struct proxy *fe)
  	fe->cap = PR_CAP_FE | PR_CAP_BE;
  	fe->maxconn = 0;
  	fe->conn_retries = CONN_RETRIES;
++	fe->timeout.connect = MS_TO_TICKS(1000);
  	fe->timeout.client = MS_TO_TICKS(5000);
++	fe->timeout.server = MS_TO_TICKS(5000);
  	fe->accept = frontend_accept;
  	fe->default_target = &peer_applet.obj_type;
  	fe->options2 |= PR_O2_INDEPSTR | PR_O2_SMARTCON | PR_O2_SMARTACC;
@@ -2613,7 +2609,7 @@ static struct appctx *peer_session_create(struct peers *peers, struct peer *peer
  	struct conn_stream *cs;
  	peer->new_conn++;
--	peer->reconnect = tick_add(now_ms, MS_TO_TICKS(PEER_RECONNECT_TIMEOUT));
++	peer->reconnect = tick_add(now_ms, (stopping ? MS_TO_TICKS(PEER_LOCAL_RECONNECT_TIMEOUT) : MS_TO_TICKS(PEER_RECONNECT_TIMEOUT)));
  	peer->heartbeat = TICK_ETERNITY;
  	peer->statuscode = PEER_SESS_SC_CONNECTCODE;
  	s = NULL;
@@ -2888,6 +2884,10 @@ static struct task *process_peer_sync(struct task * task, void *context, unsigne
  						peer_session_forceshutdown(ps);
+ 					}
+ 				}
++
++				/* Set resync timeout for the local peer and request a immediate reconnect */
++				peers->resync_timeout = tick_add(now_ms, MS_TO_TICKS(PEER_RESYNC_TIMEOUT));
++				peers->local->reconnect = now_ms;
+ 			}
+ 		}
@@ -2902,19 +2902,33 @@ static struct task *process_peer_sync(struct task * task, void *context, unsigne
+ 			}
+ 		}
  		else if (!ps->appctx) {
++			/* Re-arm resync timeout if necessary */
++			if (!tick_isset(peers->resync_timeout))
++				peers->resync_timeout = tick_add(now_ms, MS_TO_TICKS(PEER_RESYNC_TIMEOUT));
++
  			/* If there's no active peer connection */
--			if (ps->statuscode == 0 ||
--			    ps->statuscode == PEER_SESS_SC_SUCCESSCODE ||
--			    ps->statuscode == PEER_SESS_SC_CONNECTEDCODE ||
--			    ps->statuscode == PEER_SESS_SC_TRYAGAIN) {
--				/* connection never tried
--				 * or previous peer connection was successfully established
--				 * or previous tcp connect succeeded but init state incomplete
--				 * or during previous connect, peer replies a try again statuscode */
--
--				/* connect to the local peer if we must push a local sync */
--				if (peers->flags & PEERS_F_DONOTSTOP) {
--					peer_session_create(peers, ps);
++			if ((peers->flags & PEERS_RESYNC_STATEMASK) == PEERS_RESYNC_FINISHED &&
++			    !tick_is_expired(peers->resync_timeout, now_ms) &&
++			    (ps->statuscode == 0 ||
++			     ps->statuscode == PEER_SESS_SC_SUCCESSCODE ||
++			     ps->statuscode == PEER_SESS_SC_CONNECTEDCODE ||
++			     ps->statuscode == PEER_SESS_SC_TRYAGAIN)) {
++				/* The resync is finished for the local peer and
++				 *   the resync timeout is not expired and
++				 *   connection never tried
++				 *   or previous peer connection was successfully established
++				 *   or previous tcp connect succeeded but init state incomplete
++				 *   or during previous connect, peer replies a try again statuscode */
++
++				if (!tick_is_expired(ps->reconnect, now_ms)) {
++					/* reconnection timer is not expired. reschedule task for reconnect */
++					task->expire = tick_first(task->expire, ps->reconnect);
++				}
++				else  {
++					/* connect to the local peer if we must push a local sync */
++					if (peers->flags & PEERS_F_DONOTSTOP) {
++						peer_session_create(peers, ps);
++					}
+ 				}
+ 			}
  			else {
@@ -2929,6 +2943,9 @@ static struct task *process_peer_sync(struct task * task, void *context, unsigne
+ 			}
+ 		}
  		else if (ps->statuscode == PEER_SESS_SC_SUCCESSCODE ) {
++			/* Reset resync timeout during a resync */
++			peers->resync_timeout = TICK_ETERNITY;
++
  			/* current peer connection is active and established
  			 * wake up all peer handlers to push remaining local updates */
  			for (st = ps->tables; st ; st = st->next) {
 diff --git a/src/proto_http.c b/src/proto_http.c
 index bdc97de..8fb2294 100644
 --- a/src/proto_http.c
 +++ b/src/proto_http.c
@@ -7240,6 +7240,7 @@ void http_init_txn(struct stream *s)
  	struct proxy *fe = strm_fe(s);
  	struct conn_stream *cs = objt_cs(s->si[0].end);
++	txn->meth = HTTP_METH_OTHER;
  	txn->flags = ((cs && cs->flags & CS_FL_NOT_FIRST)
  		      ? (TX_NOT_FIRST|TX_WAIT_NEXT_RQ)
  		      : 0);
@@ -7268,8 +7269,10 @@ void http_init_txn(struct stream *s)
  	if (txn->hdr_idx.v)
  		hdr_idx_init(&txn->hdr_idx);
--	vars_init(&s->vars_txn,    SCOPE_TXN);
--	vars_init(&s->vars_reqres, SCOPE_REQ);
++	/* here we don't want to re-initialize s->vars_txn and s->vars_reqres
++	 * variable lists, because they were already initialized upon stream
++	 * creation in stream_new(), and thus may already contain some variables
++	 */
+ }
  /* to be used at the end of a transaction */
@@ -7300,6 +7303,9 @@ void http_reset_txn(struct stream *s)
  	http_end_txn(s);
  	http_init_txn(s);
++	vars_init(&s->vars_txn,    SCOPE_TXN);
++	vars_init(&s->vars_reqres, SCOPE_REQ);
++
  	/* reinitialise the current rule list pointer to NULL. We are sure that
  	 * any rulelist match the NULL pointer.
  	 */
 diff --git a/src/proto_htx.c b/src/proto_htx.c
 index f79d495..51fdd47 100644
 --- a/src/proto_htx.c
 +++ b/src/proto_htx.c
@@ -2808,6 +2808,7 @@ void htx_res_set_status(unsigned int status, const char *reason, struct stream *
  	if (http_replace_res_status(htx, ist2(trash.area, trash.data)))
  		http_replace_res_reason(htx, ist2(reason, strlen(reason)));
++	s->txn->status = status;
+ }
  /* Executes the http-request rules <rules> for stream <s>, proxy <px> and
 diff --git a/src/proto_sockpair.c b/src/proto_sockpair.c
 index 602cb6c..d3aeb4e 100644
 --- a/src/proto_sockpair.c
 +++ b/src/proto_sockpair.c
@@ -209,7 +209,7 @@ int send_fd_uxst(int fd, int send_fd)
  	if (sendmsg(fd, &msghdr, 0) != sizeof(iobuf)) {
  		ha_warning("Failed to transfer socket\n");
--		return 1;
++		return -1;
+ 	}
  	return 0;
 diff --git a/src/proxy.c b/src/proxy.c
 index 92db68f..cb5f8e1 100644
 --- a/src/proxy.c
 +++ b/src/proxy.c
@@ -112,8 +112,8 @@ const struct cfg_opt cfg_opts2[] =
  	{ "http-pretend-keepalive",       PR_O2_FAKE_KA,   PR_CAP_BE, 0, PR_MODE_HTTP },
  	{ "http-no-delay",                PR_O2_NODELAY,   PR_CAP_FE|PR_CAP_BE, 0, PR_MODE_HTTP },
  	{ "http-use-htx",                 PR_O2_USE_HTX,   PR_CAP_FE|PR_CAP_BE, 0, 0 },
--	{"h1-case-adjust-bogus-client",   PR_O2_H1_ADJ_BUGCLI, PR_CAP_FE, 0, PR_MODE_HTTP },
--	{"h1-case-adjust-bogus-server",   PR_O2_H1_ADJ_BUGSRV, PR_CAP_BE, 0, PR_MODE_HTTP },
++	{"h1-case-adjust-bogus-client",   PR_O2_H1_ADJ_BUGCLI, PR_CAP_FE, 0, 0 },
++	{"h1-case-adjust-bogus-server",   PR_O2_H1_ADJ_BUGSRV, PR_CAP_BE, 0, 0 },
  	{"disable-h2-upgrade",            PR_O2_NO_H2_UPGRADE, PR_CAP_FE, 0, PR_MODE_HTTP },
  	{ NULL, 0, 0, 0 }
  };
@@ -1209,14 +1209,18 @@ void soft_stop(void)
   * listener returns an error, then the proxy state is set to PR_STERROR
   * because we don't know how to resume from this. The function returns 0
   * if it fails, or non-zero on success.
++ * The function takes the proxy's lock so it's safe to
++ * call from multiple places.
   */
  int pause_proxy(struct proxy *p)
+ {
  	struct listener *l;
++	HA_SPIN_LOCK(PROXY_LOCK, &p->lock);
++
  	if (!(p->cap & PR_CAP_FE) || p->state == PR_STERROR ||
  	    p->state == PR_STSTOPPED || p->state == PR_STPAUSED)
--		return 1;
++		goto end;
  	ha_warning("Pausing %s %s.\n", proxy_cap_str(p->cap), p->id);
  	send_log(p, LOG_WARNING, "Pausing %s %s.\n", proxy_cap_str(p->cap), p->id);
@@ -1229,10 +1233,13 @@ int pause_proxy(struct proxy *p)
  	if (p->state == PR_STERROR) {
  		ha_warning("%s %s failed to enter pause mode.\n", proxy_cap_str(p->cap), p->id);
  		send_log(p, LOG_WARNING, "%s %s failed to enter pause mode.\n", proxy_cap_str(p->cap), p->id);
++		HA_SPIN_UNLOCK(PROXY_LOCK, &p->lock);
  		return 0;
+ 	}
  	p->state = PR_STPAUSED;
++end:
++	HA_SPIN_UNLOCK(PROXY_LOCK, &p->lock);
  	return 1;
+ }
@@ -1279,7 +1286,8 @@ void zombify_proxy(struct proxy *p)
   * to be called when going down in order to release the ports so that another
   * process may bind to them. It must also be called on disabled proxies at the
   * end of start-up. If all listeners are closed, the proxy is set to the
-- * PR_STSTOPPED state. The function takes the proxy's lock so it's safe to
++ * PR_STSTOPPED state.
++ * The function takes the proxy's lock so it's safe to
   * call from multiple places.
   */
  void stop_proxy(struct proxy *p)
@@ -1314,14 +1322,18 @@ void stop_proxy(struct proxy *p)
   * listeners and tries to enable them all. If any of them fails, the proxy is
   * put back to the paused state. It returns 1 upon success, or zero if an error
   * is encountered.
++ * The function takes the proxy's lock so it's safe to
++ * call from multiple places.
   */
  int resume_proxy(struct proxy *p)
+ {
  	struct listener *l;
  	int fail;
++	HA_SPIN_LOCK(PROXY_LOCK, &p->lock);
++
  	if (p->state != PR_STPAUSED)
--		return 1;
++		goto end;
  	ha_warning("Enabling %s %s.\n", proxy_cap_str(p->cap), p->id);
  	send_log(p, LOG_WARNING, "Enabling %s %s.\n", proxy_cap_str(p->cap), p->id);
@@ -1353,9 +1365,13 @@ int resume_proxy(struct proxy *p)
  	p->state = PR_STREADY;
  	if (fail) {
++		HA_SPIN_UNLOCK(PROXY_LOCK, &p->lock);
++		/* pause_proxy will take PROXY_LOCK */
  		pause_proxy(p);
  		return 0;
+ 	}
++end:
++	HA_SPIN_UNLOCK(PROXY_LOCK, &p->lock);
  	return 1;
+ }
@@ -1648,8 +1664,8 @@ void proxy_capture_error(struct proxy *proxy, int is_back,
  	} else {
  		es = HA_ATOMIC_XCHG(&proxy->invalid_req, es);
+ 	}
--	free(es);
  	HA_SPIN_UNLOCK(PROXY_LOCK, &proxy->lock);
++	free(es);
+ }
  /* Configure all proxies which lack a maxconn setting to use the global one by
@@ -2199,9 +2215,8 @@ static int cli_parse_disable_frontend(char **args, char *payload, struct appctx
  		return 1;
+ 	}
--	HA_SPIN_LOCK(PROXY_LOCK, &px->lock);
++	/* pause_proxy will take PROXY_LOCK */
  	ret = pause_proxy(px);
--	HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock);
  	if (!ret) {
  		appctx->ctx.cli.severity = LOG_ERR;
@@ -2242,9 +2257,8 @@ static int cli_parse_enable_frontend(char **args, char *payload, struct appctx *
  		return 1;
+ 	}
--	HA_SPIN_LOCK(PROXY_LOCK, &px->lock);
++	/* resume_proxy will take PROXY_LOCK */
  	ret = resume_proxy(px);
--	HA_SPIN_UNLOCK(PROXY_LOCK, &px->lock);
  	if (!ret) {
  		appctx->ctx.cli.severity = LOG_ERR;
 diff --git a/src/sample.c b/src/sample.c
 index 61e7097..e713f29 100644
 --- a/src/sample.c
 +++ b/src/sample.c
@@ -2196,13 +2196,14 @@ found:
  	if (!smp->data.u.str.data)
  		return 1;
--	smp->data.u.str.area = start;
  	/* Compute remaining size if needed
             Note: smp->data.u.str.size cannot be set to 0 */
  	if (smp->data.u.str.size)
  		smp->data.u.str.size -= start - smp->data.u.str.area;
++	smp->data.u.str.area = start;
++
  	return 1;
+ }
 diff --git a/src/server.c b/src/server.c
 index 81639b7..bef825d 100644
 --- a/src/server.c
 +++ b/src/server.c
@@ -1582,8 +1582,7 @@ static void display_parser_err(const char *file, int linenum, char **args, int c
  			 file, linenum, args[0], args[1], args[cur_arg]);
+ }
--static void srv_conn_src_sport_range_cpy(struct server *srv,
--                                            struct server *src)
++static void srv_conn_src_sport_range_cpy(struct server *srv, const struct server *src)
+ {
  	int range_sz;
@@ -1604,7 +1603,7 @@ static void srv_conn_src_sport_range_cpy(struct server *srv,
  /*
   * Copy <src> server connection source settings to <srv> server everything needed.
   */
--static void srv_conn_src_cpy(struct server *srv, struct server *src)
++static void srv_conn_src_cpy(struct server *srv, const struct server *src)
+ {
  	srv->conn_src.opts = src->conn_src.opts;
  	srv->conn_src.source_addr = src->conn_src.source_addr;
@@ -1630,7 +1629,7 @@ static void srv_conn_src_cpy(struct server *srv, struct server *src)
   * everything needed.
   */
  #if defined(USE_OPENSSL)
--static void srv_ssl_settings_cpy(struct server *srv, struct server *src)
++static void srv_ssl_settings_cpy(struct server *srv, const struct server *src)
+ {
  	if (src->ssl_ctx.ca_file != NULL)
  		srv->ssl_ctx.ca_file = strdup(src->ssl_ctx.ca_file);
@@ -1732,7 +1731,7 @@ static int srv_prepare_for_resolution(struct server *srv, const char *hostname)
   * <srv_tmpl> distinguishes these two cases (must be 1 if <srv> is a template,
   * 0 if not).
   */
--static void srv_settings_cpy(struct server *srv, struct server *src, int srv_tmpl)
++void srv_settings_cpy(struct server *srv, const struct server *src, int srv_tmpl)
+ {
  	/* Connection source settings copy */
  	srv_conn_src_cpy(srv, src);
 diff --git a/src/signal.c b/src/signal.c
 index 288ef00..58c1710 100644
 --- a/src/signal.c
 +++ b/src/signal.c
@@ -58,6 +58,9 @@ void signal_handler(int sig)
  	signal_state[sig].count++;
  	if (sig)
  		signal(sig, signal_handler); /* re-arm signal */
++
++	/* If the thread is TH_FL_SLEEPING we need to wake it */
++	wake_thread(tid);
+ }
  /* Call handlers of all pending signals and clear counts and queue length. The
 diff --git a/src/ssl_sock.c b/src/ssl_sock.c
 index 7ffcefc..b33580f 100644
 --- a/src/ssl_sock.c
 +++ b/src/ssl_sock.c
@@ -105,16 +105,20 @@
  #define SSL_SOCK_SEND_UNLIMITED     0x00000004
  #define SSL_SOCK_RECV_HEARTBEAT     0x00000008
--/* bits 0xFFFF0000 are reserved to store verify errors */
++/* bits 0xFFFFFF00 are reserved to store verify errors.
++ * The CA en CRT error codes will be stored on 7 bits each
++ * (since the max verify error code does not exceed 127)
++ * and the CA error depth will be stored on 4 bits.
++ */
  /* Verify errors macros */
--#define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 63) ? 63 : e) << (16))
--#define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (6+16))
--#define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 63) ? 63 : e) << (4+6+16))
++#define SSL_SOCK_CA_ERROR_TO_ST(e) (((e > 127) ? 127 : e) << (8))
++#define SSL_SOCK_CAEDEPTH_TO_ST(d) (((d > 15) ? 15 : d) << (7+8))
++#define SSL_SOCK_CRTERROR_TO_ST(e) (((e > 127) ? 127 : e) << (4+7+8))
--#define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (16)) & 63)
--#define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (6+16)) & 15)
--#define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+6+16)) & 63)
++#define SSL_SOCK_ST_TO_CA_ERROR(s) ((s >> (8)) & 127)
++#define SSL_SOCK_ST_TO_CAEDEPTH(s) ((s >> (7+8)) & 15)
++#define SSL_SOCK_ST_TO_CRTERROR(s) ((s >> (4+7+8)) & 127)
  /* ssl_methods flags for ssl options */
  #define MC_SSL_O_ALL            0x0000
@@ -1606,7 +1610,8 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
  			ctx->xprt_st |= SSL_SOCK_CAEDEPTH_TO_ST(depth);
+ 		}
--		if (err < 64 && __objt_listener(conn->target)->bind_conf->ca_ignerr & (1ULL << err)) {
++		if (err <= SSL_MAX_VFY_ERROR_CODE &&
++		    cert_ignerr_bitfield_get(__objt_listener(conn->target)->bind_conf->ca_ignerr_bitfield, err)) {
  			ssl_sock_dump_errors(conn);
  			ERR_clear_error();
  			return 1;
@@ -1620,7 +1625,8 @@ int ssl_sock_bind_verifycbk(int ok, X509_STORE_CTX *x_store)
  		ctx->xprt_st |= SSL_SOCK_CRTERROR_TO_ST(err);
  	/* check if certificate error needs to be ignored */
--	if (err < 64 && __objt_listener(conn->target)->bind_conf->crt_ignerr & (1ULL << err)) {
++	if (err <= SSL_MAX_VFY_ERROR_CODE &&
++	    cert_ignerr_bitfield_get(__objt_listener(conn->target)->bind_conf->crt_ignerr_bitfield, err)) {
  		ssl_sock_dump_errors(conn);
  		ERR_clear_error();
  		return 1;
@@ -2175,13 +2181,13 @@ static void ssl_set_TLSv12_func(SSL *ssl, set_context_func c) {
  		: SSL_set_min_proto_version(ssl, TLS1_2_VERSION);
+ }
  static void ctx_set_TLSv13_func(SSL_CTX *ctx, set_context_func c) {
--#if SSL_OP_NO_TLSv1_3
++#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
  	c == SET_MAX ? SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)
  		: SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION);
  #endif
+ }
  static void ssl_set_TLSv13_func(SSL *ssl, set_context_func c) {
--#if SSL_OP_NO_TLSv1_3
++#if (HA_OPENSSL_VERSION_NUMBER >= 0x10101000L)
  	c == SET_MAX ? SSL_set_max_proto_version(ssl, TLS1_3_VERSION)
  		: SSL_set_min_proto_version(ssl, TLS1_3_VERSION);
  #endif
@@ -4113,6 +4119,7 @@ static int sh_ssl_sess_store(unsigned char *s_id, unsigned char *data, int data_
  	if (oldsh_ssl_sess != sh_ssl_sess) {
  		 /* NOTE: Row couldn't be in use because we lock read & write function */
  		/* release the reserved row */
++		first->len = 0; /* the len must be liberated in order not to call the release callback on it */
  		shctx_row_dec_hot(ssl_shctx, first);
  		/* replace the previous session already in the tree */
  		sh_ssl_sess = oldsh_ssl_sess;
@@ -5069,20 +5076,17 @@ int ssl_sock_prepare_bind_conf(struct bind_conf *bind_conf)
  	return -err;
+ }
--/* release ssl context allocated for servers. */
++/* release ssl context allocated for servers.  Most of the field free here
++ * must also be allocated in srv_ssl_settings_cpy() */
  void ssl_sock_free_srv_ctx(struct server *srv)
+ {
  #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
--	if (srv->ssl_ctx.alpn_str) {
--		free(srv->ssl_ctx.alpn_str);
--		srv->ssl_ctx.alpn_str = NULL;
--	}
++	free(srv->ssl_ctx.alpn_str);
++	srv->ssl_ctx.alpn_str = NULL;
  #endif
  #ifdef OPENSSL_NPN_NEGOTIATED
--	if (srv->ssl_ctx.npn_str) {
--		free(srv->ssl_ctx.npn_str);
--		srv->ssl_ctx.npn_str = NULL;
--	}
++	free(srv->ssl_ctx.npn_str);
++	srv->ssl_ctx.npn_str = NULL;
  #endif
  	if (srv->ssl_ctx.reused_sess) {
  		int i;
@@ -5101,6 +5105,25 @@ void ssl_sock_free_srv_ctx(struct server *srv)
  		SSL_CTX_free(srv->ssl_ctx.ctx);
  		srv->ssl_ctx.ctx = NULL;
+ 	}
++
++	free(srv->ssl_ctx.ca_file);
++	srv->ssl_ctx.ca_file = NULL;
++	free(srv->ssl_ctx.crl_file);
++	srv->ssl_ctx.crl_file = NULL;
++	free(srv->ssl_ctx.client_crt);
++	srv->ssl_ctx.client_crt = NULL;
++	free(srv->ssl_ctx.verify_host);
++	srv->ssl_ctx.verify_host = NULL;
++#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
++	free(srv->sni_expr);
++	srv->sni_expr = NULL;
++#endif
++	free(srv->ssl_ctx.ciphers);
++	srv->ssl_ctx.ciphers = NULL;
++#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
++	free(srv->ssl_ctx.ciphersuites);
++	srv->ssl_ctx.ciphersuites = NULL;
++#endif
+ }
  /* Walks down the two trees in bind_conf and frees all the certs. The pointer may
@@ -8083,7 +8106,7 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
+ {
  	int code;
  	char *p = args[cur_arg + 1];
--	unsigned long long *ignerr = &conf->crt_ignerr;
++	unsigned long long *ignerr = conf->crt_ignerr_bitfield;
  	if (!*p) {
  		if (err)
@@ -8092,22 +8115,22 @@ static int bind_parse_ignore_err(char **args, int cur_arg, struct proxy *px, str
+ 	}
  	if (strcmp(args[cur_arg], "ca-ignore-err") == 0)
--		ignerr = &conf->ca_ignerr;
++		ignerr = conf->ca_ignerr_bitfield;
  	if (strcmp(p, "all") == 0) {
--		*ignerr = ~0ULL;
++		cert_ignerr_bitfield_set_all(ignerr);
  		return 0;
+ 	}
  	while (p) {
  		code = atoi(p);
--		if ((code <= 0) || (code > 63)) {
++		if ((code <= 0) || (code > SSL_MAX_VFY_ERROR_CODE)) {
  			if (err)
--				memprintf(err, "'%s' : ID '%d' out of range (1..63) in error IDs list '%s'",
--				          args[cur_arg], code, args[cur_arg + 1]);
++				memprintf(err, "'%s' : ID '%d' out of range (1..%d) in error IDs list '%s'",
++					  args[cur_arg], code, SSL_MAX_VFY_ERROR_CODE, args[cur_arg + 1]);
  			return ERR_ALERT | ERR_FATAL;
+ 		}
--		*ignerr |= 1ULL << code;
++		cert_ignerr_bitfield_set(ignerr, code);
  		p = strchr(p, ',');
  		if (p)
  			p++;
 diff --git a/src/standard.c b/src/standard.c
 index 3dd3d6d..e941627 100644
 --- a/src/standard.c
 +++ b/src/standard.c
@@ -1613,7 +1613,8 @@ char *encode_chunk(char *start, char *stop,
  /*
   * Tries to prefix characters tagged in the <map> with the <escape>
-- * character. The input <string> must be zero-terminated. The result will
++ * character. The input <string> is processed until string_stop
++ * is reached or NULL-byte is encountered. The result will
   * be stored between <start> (included) and <stop> (excluded). This
   * function will always try to terminate the resulting string with a '\0'
   * before <stop>, and will return its position if the conversion
@@ -1621,11 +1622,11 @@ char *encode_chunk(char *start, char *stop,
   */
  char *escape_string(char *start, char *stop,
  		    const char escape, const long *map,
--		    const char *string)
++		    const char *string, const char *string_stop)
+ {
  	if (start < stop) {
  		stop--; /* reserve one byte for the final '\0' */
--		while (start < stop && *string != '\0') {
++		while (start < stop && string < string_stop && *string != '\0') {
  			if (!ha_bit_test((unsigned char)(*string), map))
  				*start++ = *string;
  			else {
 diff --git a/src/stick_table.c b/src/stick_table.c
 index 015463b..a3d63f3 100644
 --- a/src/stick_table.c
 +++ b/src/stick_table.c
@@ -215,7 +215,18 @@ int __stktable_trash_oldest(struct stktable *t, int to_batch)
  			ts->exp.key = ts->expire;
  			eb32_insert(&t->exps, &ts->exp);
--			if (!eb || eb->key > ts->exp.key)
++			/* the update might have jumped beyond the next element,
++			 * possibly causing a wrapping. We need to check whether
++			 * the next element should be used instead. If the next
++			 * element doesn't exist it means we're on the right
++			 * side and have to check the first one then. If it
++			 * exists and is closer, we must use it, otherwise we
++			 * use the current one.
++			 */
++			if (!eb)
++				eb = eb32_first(&t->exps);
++
++			if (!eb || tick_is_lt(ts->exp.key, eb->key))
  				eb = &ts->exp;
  			continue;
@@ -547,11 +558,12 @@ struct stksess *stktable_set_entry(struct stktable *table, struct stksess *nts)
  	return ts;
+ }
  /*
-- * Trash expired sticky sessions from table <t>. The next expiration date is
-- * returned.
++ * Task processing function to trash expired sticky sessions. A pointer to the
++ * task itself is returned since it never dies.
   */
--static int stktable_trash_expired(struct stktable *t)
++struct task *process_table_expire(struct task *task, void *context, unsigned short state)
+ {
++	struct stktable *t = context;
  	struct stksess *ts;
  	struct eb32_node *eb;
  	int looped = 0;
@@ -597,7 +609,18 @@ static int stktable_trash_expired(struct stktable *t)
  			ts->exp.key = ts->expire;
  			eb32_insert(&t->exps, &ts->exp);
--			if (!eb || eb->key > ts->exp.key)
++			/* the update might have jumped beyond the next element,
++			 * possibly causing a wrapping. We need to check whether
++			 * the next element should be used instead. If the next
++			 * element doesn't exist it means we're on the right
++			 * side and have to check the first one then. If it
++			 * exists and is closer, we must use it, otherwise we
++			 * use the current one.
++			 */
++			if (!eb)
++				eb = eb32_first(&t->exps);
++
++			if (!eb || tick_is_lt(ts->exp.key, eb->key))
  				eb = &ts->exp;
  			continue;
+ 		}
@@ -611,19 +634,8 @@ static int stktable_trash_expired(struct stktable *t)
  	/* We have found no task to expire in any tree */
  	t->exp_next = TICK_ETERNITY;
  out_unlock:
++	task->expire = t->exp_next;
  	HA_SPIN_UNLOCK(STK_TABLE_LOCK, &t->lock);
--	return t->exp_next;
--}
--
--/*
-- * Task processing function to trash expired sticky sessions. A pointer to the
-- * task itself is returned since it never dies.
-- */
--static struct task *process_table_expire(struct task *task, void *context, unsigned short state)
--{
--	struct stktable *t = context;
--
--	task->expire = stktable_trash_expired(t);
  	return task;
+ }
 diff --git a/src/stream.c b/src/stream.c
 index 96bdce7..01f5ed5 100644
 --- a/src/stream.c
 +++ b/src/stream.c
@@ -228,8 +228,17 @@ struct stream *stream_new(struct session *sess, enum obj_type *origin)
  	s->req_cap = NULL;
  	s->res_cap = NULL;
--	/* Initialise all the variables contexts even if not used.
++	/* Initialize all the variables contexts even if not used.
  	 * This permits to prune these contexts without errors.
++	 *
++	 * We need to make sure that those lists are not re-initialized
++	 * by stream-dependant underlying code because we could lose
++	 * track of already defined variables, leading to data inconsistency
++	 * and memory leaks...
++	 *
++	 * For reference: we had a very old bug caused by vars_txn and
++	 * vars_reqres being accidentally re-initialized in http_create_txn()
++	 * (https://github.com/haproxy/haproxy/issues/1935)
  	 */
  	vars_init(&s->vars_txn,    SCOPE_TXN);
  	vars_init(&s->vars_reqres, SCOPE_REQ);
@@ -1708,7 +1717,7 @@ static int process_store_rules(struct stream *s, struct channel *rep, int an_bit
  		void *ptr;
  		struct dict_entry *de;
--		if (objt_server(s->target) && objt_server(s->target)->flags & SRV_F_NON_STICK) {
++		if (!objt_server(s->target) || (__objt_server(s->target)->flags & SRV_F_NON_STICK)) {
  			stksess_free(s->store[i].table, s->store[i].ts);
  			s->store[i].ts = NULL;
  			continue;
@@ -1724,14 +1733,15 @@ static int process_store_rules(struct stream *s, struct channel *rep, int an_bit
  		HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
  		ptr = __stktable_data_ptr(s->store[i].table, ts, STKTABLE_DT_SERVER_ID);
  		stktable_data_cast(ptr, server_id) = __objt_server(s->target)->puid;
--		HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
--		HA_RWLOCK_WRLOCK(STK_SESS_LOCK, &ts->lock);
--		de = dict_insert(&server_name_dict, __objt_server(s->target)->id);
--		if (de) {
--			ptr = __stktable_data_ptr(s->store[i].table, ts, STKTABLE_DT_SERVER_NAME);
--			stktable_data_cast(ptr, server_name) = de;
++		if (__objt_server(s->target)->id) {
++			de = dict_insert(&server_name_dict, __objt_server(s->target)->id);
++			if (de) {
++				ptr = __stktable_data_ptr(s->store[i].table, ts, STKTABLE_DT_SERVER_NAME);
++				stktable_data_cast(ptr, server_name) = de;
++			}
+ 		}
++
  		HA_RWLOCK_WRUNLOCK(STK_SESS_LOCK, &ts->lock);
  		stktable_touch_local(s->store[i].table, ts, 1);
 diff --git a/src/stream_interface.c b/src/stream_interface.c
 index ab5c574..1adecf3 100644
 --- a/src/stream_interface.c
 +++ b/src/stream_interface.c
@@ -1149,7 +1149,7 @@ static void stream_int_chk_snd_conn(struct stream_interface *si)
  	struct channel *oc = si_oc(si);
  	struct conn_stream *cs = __objt_cs(si->end);
--	if (unlikely(!si_state_in(si->state, SI_SB_CON|SI_SB_RDY|SI_SB_EST) ||
++	if (unlikely(!si_state_in(si->state, SI_SB_RDY|SI_SB_EST) ||
  	    (oc->flags & CF_SHUTW)))
  		return;

Ubuntuhaproxy package

Merge ~lucaskanashiro/ubuntu/+source/haproxy:focal-mre into ubuntu/+source/haproxy:ubuntu/focal-devel

Commit message

Description of the change

Preview Diff

Subscribers

Ubuntu
haproxy package